Abstract
Scalable and secure implementation of central bank digital currencies (CBDC) has been a challenge. Blockchains provide high operatorindependent security and enable central banks to outsource CBDC operations while retaining control over the amount of circulating money. Scalability of blockchain depends on the possibility of decomposing the blockchain. We study how the choice of money scheme: accounts, bills, or unspent transaction outputs (UTXOs) influences the existence of secure and decomposable blockchain implementations of CBDC. We give formal definitions to money schemes, their decompositions, atomic decompositions inspired from the properties of blockchain implementations. For our formalism, we use tools from universal algebra and category theory. We present a general decomposition theory and conditions under which money schemes have atomic decompositions. Bill money schemes meet these conditions but account and UTXO schemes do not. Bill schemes enable scalable and secure implementations of CBDC while the more traditional schemes have some issues.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
During the last years, central banks have discussed possible use of central bank digital currencies (CBDC)—electronic cash. Besides the financial and economic factors also the scalability and security of technical implementations of CBDC have been studied. Blockchain technology provides a high level of security independent of the technical infrastructure and enables central banks to outsource most of the CBDC operations to the private sector while still having full control over the total amount of CBDC in circulation. The security measures may depend on whether the blockchain solution is public (permissionless) or private (permissioned). Private blockchains are less costly but their security needs somewhat more care as some type of insider attacks have to be considered.
Scalability has been the biggest technical concern of using blockchainbased CBDC. Nationwide deployment of electronic cash requires service rates of ten to hundred thousands transactions per second while blockchain money solutions like Bitcoin only offer the rate of few dozen transactions per second. The key of filling the scalability gap is the possibility of decomposing (sharding) the blockchain. The efficiency of decomposition highly depends on the need for intercomponent communication. For example, whenever two accounts are in different components, paying from one account to another requires two simultaneous operations in both components: debiting one account and crediting the other. This is technically challenging as it requires solving the atomic commit problem (often called “two generals problem"), which has no deterministic time solutions if possible message loss is considered. On the other hand, if we imagine a single coin or bill given by one person to another, the only parameter that changes is the ownership of the coin/bill. Such operation is atomic by definition. Hence, if an electronic money solution uses coins and bills to represent money and is sharded so that some coins and bills belong to one shard and others to another shard, then every single coin payment is uni shard and does not require inter shard communication.
In this paper, we present a general decomposition theory of money schemes and its implications about how the possibility of efficient sharding depends on the choice of the money scheme (accounts, coins, etc.). The theory explains why blockchainbased implementations of accountbased and UTXObased money schemes cannot be efficiently sharded, while bill based money schemes have efficient and secure sharding mechanisms. For our formalism, we use universal algebra and category theory as essential tools, because this provides us with the appropriate level of abstraction to find, prove and apply results on decomposability and indecomposability of emoney and payment systems.
This work also focuses on the security of sharded blockchain implementations of the bill money scheme considering that the blockchain is used in a permissioned and controlled scenario by the central bank. However, we consider the possibility that the central bank can outsource most of the service machinery to the private sector. The security of the solution is based on special types of lightweight userinitiated audit protocols that are executed during every payment. The goal of the audit procedure is to verify that each particular bill is properly used, i.e., all the ledger rules are fulfilled. We study two types of audit protocols:

1.
Full audit—if successful, guarantees that the ledger rules are followed

2.
Probabilistic audit—guarantees that any deviation from ledger rules will be detected very soon. The motivation behind probabilistic audit is that the communication complexity of the audit protocol is reduced.
The existence of communicationefficient probabilistic protocols seems to depend on the chosen money scheme and the blockchain certification scheme. We show that such protocols exist in the KSICash CBDC solution [1] that is based on the bill money scheme, i.e. simulates the use of physical cash. It remains an open question if efficient probabilistic audit protocols exist for other money schemes.
In “Related work”, we provide a discussion of related work. In “Money schemes” and “Descriptional complexity of payments”, we explain money schemes and the decomposability of payments. We formalize the implementation and decomposition of money schemes and investigate their blockchain implementations in “Implementations of money schemes and Blockchain implementations”. In “Atomic decomposition of money schemes”, we formalize atomic decompositions—a class of decompositions that takes into account the aspects of blockchain implementations. We show that the bill scheme has atomic decompositions and the account and UTXO schemes do not. In “Unitwise decompositions of money schemes”, we study a special kind of decompositions called unitwise decompositions and give necessary and sufficient conditions for money schemes that guarantee the existence of atomic unitwise decompositions. In “Security of blockchain implementations, Rules of a bill ledger and User side full audit”, we discuss diverse security aspects of blockchain implementations. In “KSIcash bill ledger and User side probabilistic audit in KSIcash”, we describe KSICash and its user side probabilistic audit. We finish the paper with a discussion in “Discussion” and a conclusion in “Conclusions”.
Related Work
Central Bank Digital Currencies
RSCoin [2] is an example of a sharded central bank digital currency. RSCoin is based on a blockchain as ledger and its architecture is centered around so called mintettes (which are shards in usual database terminology) and a trusted central component. Each mintette is responsible for a range of public client addresses. Together, the mintettes create consensus on valid blocks, which are then certified by the central component. The necessary communication between the mintettes is achieved indirectly via the wallets running a twophasecommit protocol. Here, each wallet decides individually based on incoming majority votes.
The Hamilton Project [3] by the Federal Reserve Bank of Boston and the Massachusetts Institute of Technology Digital Currency Initiative is a concept study on the implementation of central bank digital currency. The study investigates two architectures. The first is the so called atomizer architecture, which is a blockchain solution that relies on sharded transaction verification. The architecture is based on the UTXO scheme. The central component of the architecture is called atomizer. The atomizer collects verified payments from the shards and creates the blocks, which introduces a significant bottleneck to the system. Next, the study compares the atomizer solution with the socalled 2PC architecture (2phasecommit architecture), which represents established (i.e., nonblockchain) transaction system technologies found in today’s banking.
The crucial difference between RSCoin and the Hamilton project on the one hand and KSI Cash on the other hand is in the utilized money schemes. Both RSCoin and the Hamilton are based on the UTXO scheme, whereas KSI Cash is based on the bill money scheme. RSCoin and the Hamilton project need to deal with the severe issue of crossshard transactions, whereas KSI Cash can instead deal with the comparatively moderate issue of increasing amounts of smaller money denominations [1].
An industrialproven CDBC solution that is based on the bill scheme is G+D Filia provided by [4]. G+D Filia allows for offline consecutive payments and comes with a concept of money distribution as publicprivate partnership between central banks and commercial banks as intermediaries. In the context of this paper, G+D Filia is relevant because it is based on a bill money scheme, called valuebased approach by [4]: “G+D Filia takes a valuebased approach. Accordingly, monetary value is represented by a piece of data, a socalled value note. Payment is done by transferring this piece of data from one person to another, mirroring cash payments, which are carried out by transferring physical banknotes or coins from person A to person B " [4].
None of the related studies discussed in “Central bank digital currencies” aims at contributing to the theoretical understanding (and analysis) of payment systems as our paper.
Relevant Blockchain Technologies
Two recent surveys on sharding in blockchains are provided by [5] and [6]. Together, [5] and [6] investigate a total of 15 technologies, which are based on established emoney schemes (or do not specify an emoney scheme) as follows:

UTXO model: Elastico [7], SSChain [8], OmniLedger [9, 10], RapidChain [11, 12], Ostraka [13], and Stegos [14]

account model: Ethereum blockchains (including Ethereum [15], Ethereum 2.0 [16], and Ethereum upgrades^{Footnote 1}), Monoxide [17], ZILLIQA [18], Harmony [19], and Logos (Table 2.2. in [20])

objectbased money scheme: Chainspace [21]
None of the sharded blockchain technologies surveyed by [5] and [6] are based on a bill scheme. We have found one blockchain technology in the literature, i.e., CoinCash [24], however, CoinCash is not a sharded blockchain technology, instead, it is a Bitcoin sidechain [25] that aims at enhancing privacy by adding an overlay of transaction anonymization [26].
None of the related studies discussed in “Relevant blockchain technologies” aims at contributing to the theoretical understanding (and analysis) of payment systems as our paper.
The Extended UTXO Model
In [27], the Extended UTXO (EUTXO) model has been suggested that aims at allowing for a more expressive smart contract language (similar to Ethereum, which is based on an account money scheme) while keeping the semantic model as close as possible to the UTXO model and, therefore, as simple as possible (as compared to the semantic model of the account money scheme, which is considered more complex by [27]). “To maintain the machine state [the EUTXO model extends] UTXO outputs from being a pair of a validator \(\nu \) and a cryptocurrency value to being a triple (\(\nu \),value,\(\delta \)) of validator, value, and a datum \(\delta \), where \(\delta \) contains arbitrary contractspecific data” [27]. Then, [27] formally describes the EUTXO model in “a straightforward settheoretic form, which (1) admits an almost direct translation into languages like Haskell for implementation, and (2) is easily amenable to mechanical formalisation” [27]. The work [27] results in a powerful semantic model, that is fully formalised with the Agda^{Footnote 2} proof assistant. The objective of [27] (increasing smart contract expressiveness plus achieving semantic simplicity) is different from the objective of this paper (theoretical foundation of payment systems to enable the analysis of payment system decomposition).
Formal Models of Blockchain Technology
In [28], the EUTXO model [27] (see “The extended UTXO model”) is made subject of further investigation. On the basis of this, [28] provides a set of recursive type equations specifying an Idealized EUTXO [28, 29] money scheme. The model of these type equations form a category IETUxO. Furthermore, [28] provides a novel perspective on blockchains in terms of partitions called chunks which “display resource separation properties reminiscent of known systems such as separation logic [30]” [28] and “communicate across channels (much like the \(\pi \)calculus [31])” [28]. Reference [28] formalizes the concept of chunks as abstract chunk systems in terms of a set of testable algebraic properties. Again, abstract chunk systems form a category ACS. Finally, [28] is able to construct functors between the categories IETUxO and ACS that “exhibit a cycle of categorical embeddings between them” [28]. This way, [28] achieves a rich collection of algebraic properties [32,33,34,35] of UTXObased blockchains that can be exploited in future formal reasoning about blockchain systems.
In [36], the theory of resources of [37] is utilized to achieve a basic categorytheoretical model of cryptocurrency systems. First, [36] gives a precise semantics of a version of string diagrams that have been augmented by concepts for modeling resource ownership (compare with [38]). Then, they show the applicability of these augmented string diagrams to ledger structures. With his work, [36] is able to show “how the resource theoretic interpretation of monoidal categories, and in particular their string diagrams [39], captures the sort of material history that concerns ledger structures for blockchain systems” [36].
The work presented in this paper is different from [28, 36] in regard of the following aspects: We formalize not only one of the established emoney schemes (UTXO scheme, account scheme), but incorporate the novel bill scheme into our theory; and we utilize our formalization to yield a series of results on the decomposability of the several emoney schemes, that are needed in informed design decisions in designing sharded blockchain technology. The bill scheme is particularly important, as our investigation shows that the bill scheme allows for the design of an ultrascalable blockchain technology via sharding.
In [40], category theory is utilized to improve the language design and implementation of the blockchain smart contract language Simplicity. While [40] provides another useful example of leveraging category theory to advance the practice of information systems, and blockchain technology in particular, their objective (semantics and pragmatics of a smart contract language) is different from the objective of this paper (theoretical foundation of payment systems to enable the analysis of payment system decomposition).
Money Schemes
A money scheme [41, 42] describes the representational aspects of money and payments. There are different money schemes in practical use—account schemes, bill schemes, UTXO schemes, etc. In this section, we present a formal approach to characterize different money schemes.
Money Distributions
Money can be represented as a set U of units and a value function \(\nu :U \rightarrow \mathbb {N}\) that defines for each unit \(u\in U\) its value \(\nu (u)\in \mathbb {N}\), where N is the set of natural numbers. The units may be accounts, bills, UTXOs, etc. We assume that there exists an infinite set \(\mathscr {U}\) of all potential units, i.e. \(U\subset \mathscr {U}\). For describing the ownership of money, a second function \(\beta :U \rightarrow \mathscr {B}\) is introduced that assigns for each unit \(u\in U\) its owner (bearer) \(\beta (u)\in \mathscr {B}\), where \(\mathscr {B}\) is the set of all potential bearers.
A triple \(M=(U, \nu , \beta )\) is called a money distribution because it describes the units with their values and ownership. We denote by \(\mathscr {M}\) the set of all possible money distributions, i.e. \(\mathscr {M}\) consists of all triples \((U,\nu ,\beta )\), where U is a finite subset of \(\mathscr {U}\) and \(\nu :U\rightarrow \mathbb {N}\) and \(\beta :U\rightarrow \mathscr {B}\) are any functions.
In such a model, we define the total amount of money in a money distribution \(M=(U,\nu ,\beta )\) as \(\sigma (M)=\sum _{u\in U}\nu (u)\), and a money owned by a bearer \(b\in \mathscr {B}\) by \(\sigma (M, b)= \sum _{u\in \beta ^{1}(b)} \nu (u)\). The ownership function \(\sigma (M, \cdot ):\mathscr {B}\rightarrow \mathbb {N}\) represents the account view of the money distribution M. A money distribution M can be represented as a pair \((\mathscr {B}, \sigma (M,\cdot ))\). This is equivalent of hiding the units of the money distribution M from an owner b and showing only the account balance \(\sigma (M,b)\).
Money distribution is only a static picture of money and does not distinguish different money schemes. What makes the most important technical difference between money schemes are the payments.
Money Transformations and Payments
Payments are certain type of transformations that change the money distribution, but preserve the total amount \(\sigma (M)\) of money. Before defining payments, we define money transformations that do not necessarily preserve \(\sigma (M)\).
Definition 1
(Money transformation) A money transformation P is a function \(P:\mathscr {M}\rightarrow \mathscr {M}\) defined as a rule on a finite subset \(U_P\) of units such that for every \(u\in U_p\), it is described how the unit itself and its parameters \(\nu (u)\) and \(\beta (u)\) are changed by P. For every money distribution \(M=(U,\nu ,\beta )\), a money transformation P may:

Delete u, if \(u\in U\). If \(u\not \in U\), then P cannot be applied to M.

Create u and define \(\nu (u)\) and \(\beta (u)\), if \(u\not \in U\). If \(u\in U\), then P cannot be applied to M.

Reduce or rise the value of u by a certain way and/or change the bearer of u, assuming that the value of u cannot become negative. If this would happen or if \(u\not \in U\), then P cannot be applied to M.
We assume that if P cannot be applied to M, then \(P(M)=M\). Note that P(M) does not depend on units outside \(U_P\) nor their parameters.
A money transformation P with \(U_P=\emptyset \) is called the identity transformation and is denoted by \(1_\mathscr {M}\) or simply 1. The following lemmas (Lemmas 1, 2, 3) are direct corollaries from Definition 1.
Lemma 1
Let P be a money transformation and \(M=(U,\nu ,\beta )\) be any money distribution such that \(M\ne P(M)\). Let \(M'=(U',\nu ', \beta ')\) be a money distribution such that \(U\cap U_P=U'\cap U_P\), \(\nu (u)=\nu '(u)\), \(\beta (u)=\beta '(u)\) for all \(u\in U\cap U_P\), i.e. \(M'\) differs from M only by the units \(u\not \in U_P\) and possibly by their values \(\nu (u)\) and \(\beta (u)\). Then also \(M'\ne P(M')\).
Proof
As the status of the units of \(U_P\) in \(M'\) is the same as in M, and the rules of P can be applied to M, then P can be applied to \(M'\). \(\square \)
Lemma 2
If \(P,P'\) are money transformations and \(M\ne P(M)=P'(M)\) for \(M\in \mathscr {M}\), then \(P=P'\), i.e. \(P(M')=P'(M')\) for every \(M'\in \mathscr {M}\).
Proof
The assumption \(M\ne P(M)=P'(M)\) implies that the rules of both P and \(P'\) can be applied to M and they change M in the same way.

If a unit u was deleted in M, then the rules of both P and \(P'\) contain the instruction to delete u.

If a unit u was created in M, then the rules of both P and \(P'\) contain an instruction to create u with exact same parameters.

If the parameters of a unit u were changed in M, then the rules of both P and \(P'\) contain the instruction to change the parameters of u in exact same way.
The rules of P and \(P'\) cannot contain more instructions than such changes indicate. Therefore, P and \(P'\) are defined by the same rules and hence, they act on every \(M'\) in exact same way. \(\square \)
Lemma 3
For every money transformation \(P\ne 1\), there is a money distribution M where \(P(M)\ne M\).
Proof
For every \(u\in U_P\), if P creates u, choose \(M=(U,\nu ,\beta \) in a way that \(u\not \in U\); if P deletes u, make sure that \(u\in U\). If P reduces \(\nu (u)\) by d, make sure that \(\nu (u)\ge d\). It is easy to see that a finite U exists that satisfies all these requirements, because \(U_P\) is finite. \(\square \)
Note that the composition \(P_1\circ P_2\) of two money transformations \(P_1\) and \(P_2\) is not always a money transformation. For example, if \(P_2\) reduces the value of u by 10, and \(P_1\) rises the value of u by 20, then in a money distribution \(M_1=(U_1,\nu _1,\beta _1)\) where \(u\in U_1\) and \(\nu _1(u)=5\), and in another money distribution \(M_2=(U_2,\nu _2,\beta _2)\) where \(u\in U_2\) and \(\nu _2(u)=10\), the unit u is changed differently by \(P_1\circ P_2\). Indeed, in \((P_1\circ P_2)(M_1)\) the value of u will be 25 (i.e. raised by 20), but in \((P_1\circ P_2)(M_2)\) the value of u will be 15 (i.e. raised by 10). Therefore, to describe the action of compositions \(P_1\circ P_2\) one may need different unitbased rules in money distributions \(M_1\) and \(M_2\).
Definition 2
(Nonredundant composition) A composition \(P_m\circ \cdots \circ P_1\) of money transformations \(P_i\) is nonredundant at a money distribution M if \(M_{i1}\ne P_i(M_{i1})\) for every \(i\in \{1,\ldots ,m\}\), where \(M_0,M_1,\ldots ,M_m\) are money distributions such that \(M_0 = M\) and \(M_{j}=P_j(M_{j1})\) for every \(j\in \{1,\ldots ,m\}\).
Definition 3
(Coproduct) The coproduct \(P_1\oplus P_2\) of money transformations \(P_1,P_2\) with \(U_{P_1}\cap U_{P_2}=\emptyset \) is a money transformation P with \(U_P=U_{P_1}\cup U_{P_2}\) and with the rule that if \(u\in U_{P_1}\), then the rule of \(P_1\) is applied, and if \(u\in U_{P_2}\), then the rule of \(P_2\) is applied. If any of the rules cannot be applied to a money distribution M, then \((P_1\oplus P_2)(M)=M\).
Hence, it might be that \((P_1\oplus P_2)(M)=M\), but \(P_1(M)\ne M\) or \(P_2(M)\ne M\). Note also that, if \(M\ne (P_1\oplus P_2)(M)\), then \((P_1\oplus P_2)(M)= P_2(P_1(M))\), but in general, this is not true.
Definition 4
(Payment) A payment is a money transformation P that does not change the total amount of money, i.e. \(\sigma (P(M))=\sigma (M)\) for every \(M\in \mathscr {M}\).
Some examples of payments that act on a money distribution \(M=(U,\nu ,\beta )\):

Identity transformation \(1_\mathscr {M}\) changes no units.

Account payments change the values \(\nu (u)\) and \(\nu (v)\) of two units (accounts) \(u,v\in U\). The resulting money distribution is \((U', \nu ', \beta ')\), where \(U'=U\), \(\beta '=\beta \) (no accounts are deleted/created and their owners stay the same), and \(\nu '(u)+\nu '(v)= \nu (u)+\nu (v)\), i.e. total amount of money does not change.

Bill payments change only the owner \(\beta (u)\) of a unit (bill) u. The resulting money distribution is \((U', \nu ', \beta ')\), where \(U'=U\), \(\nu '=\nu \) (no units are created/deleted and their values stay the same), but possibly \(\beta '(u)\ne \beta (u)\).

UTXO payments delete a set \(\{u_1, \ldots , u_m\}\) of units (UTXOs) and create a set \(\{v_1, \ldots , v_k\}\) of units so that \(\nu (u_1)+ \ldots + \nu (u_m) = \nu '(v_1) + \ldots + \nu '(v_k)\) in the resulting money distribution \((U',\nu ',\beta ')\).
Money Schemes
A money scheme describes which money distributions and which payments are allowed in an application of money.
Definition 5
(Money scheme) A money scheme is a pair \((\mathscr {M}, \mathscr {P})\), where \(\mathscr {M}\) is a set of money distributions and \(\mathscr {P}\) is a set of payments, such that the next properties hold:

Identity: \(1_\mathscr {M}\in \mathscr {P}\).

Accessibility of money: For every \(M\in \mathscr {M}\) and \(b\in \mathscr {B}\), there is \(P\in \overline{\mathscr {P}}\) such that \(\sigma (P(M),b)=0\), i.e. bearers can always spend all their money. Here, \(\overline{\mathscr {P}}\) denotes the set of all finite compositions \(P=P_1\circ \cdots \circ P_m\) of \(P_i\in \mathscr {P}\).
In this work, we assume for simplicity that \(\mathscr {M}\) is always the set of all money distributions as defined in “Money Distributions”. This simplification is justified because only the payments make difference between money schemes.
A composition \(P=P_1\circ P_2\) of payments \(P_1,P_2\in \mathscr {P}\) is not necessarily a payment. From practical implementation viewpoint, payments represent transactions that are initiated by payment orders sent to the money and payment system by its users. If two users send their payment orders \(P_1, P_2\) to the system, then the money and payment system does not necessarily accept “composite" payment orders the execution of which is equivalent to applying \(P_1\circ P_2\) to the current money distribution. For every \(P\in \overline{\mathscr {P}}\), we define a function \(\Delta _P:\mathscr {M}\times \mathscr {B}\rightarrow \mathbb {Z}\), so that
which shows how the account balance of b is changed by P. If \(\Delta _P(M,b)>0\), then b pays money to other bearers, and if \(\Delta _P(M,b)<0\), then b receives money via P.
Lemma 4
(Uniformity of amount) If \((\mathscr {M}, \mathscr {P})\) is a money scheme with the bearer set \(\mathscr {B}\), \(P\in \mathscr {P}\), \(M,M'\in \mathscr {M}\), \(b\in \mathscr {B}\), \(P(M)\ne M\), and \(P(M')\ne M'\), then
Proof
Direct implication from the description of payments via actions on all potential units \(u\in \mathscr {U}\) (Definition 1, Definition 4). If P can be applied to both money distributions M and \(M'\), then P changes them in exactly the same way. \(\square \)
Definition 6
(Subscheme) A money scheme \((\mathscr {M}, \mathscr {P})\) is a subscheme of a money scheme \((\mathscr {M}, \mathscr {P}')\), if \(\mathscr {P}\subseteq \mathscr {P}'\).
Categorization of Money Schemes by Invariance
In this subsection, we present a full list of types of money schemes \((\mathscr {M}, \mathscr {P})\), based on the invariance of components U, \(\nu \), and \(\beta \) of money distributions under the payments \(P\in \mathscr {P}\) of the money scheme. From a purely combinatorial viewpoint, there are eight classes of schemes as presented in Table 1:

1.
If all three parameters U, \(\nu \), and \(\beta \) are invariant, then the payments do not change the money distribution, which means that money does not flow, and hence, this class of schemes is not interesting.

2.
There exist no schemes, in which only U changes, because, by changing the domain of functions \(\nu \) and \(\beta \) also means changing \(\nu \) and \(\beta \) as functions.
So, only five of these eight types are of practical interest:

1.
Schemes in which only the bearer function \(\beta \) changes, i.e., bill schemes.

2.
Schemes in which only the value function \(\nu \) changes, i.e., account schemes.

3.
Schemes in which only \(\beta \) and \(\nu \) change, one example of which is the extended account scheme, where in addition to ordinary account transfers, the owners of accounts may also change.

4.
Schemes in which all parameters may change, i.e., the hybrid schemes, an example of which is the UTXO scheme.
For having a closer view on how money schemes can be constructed, especially the hybrid schemes, we will study in “Descriptional complexity of payments” the algebraic structure of payments, i.e. how more complex payments can be constructed from simpler ones.
Descriptional Complexity of Payments
In this section, we describe and categorise all possible types of payments and show how payments can be algebraically decomposed to irreducible payments.
As every payment P is a money transformation, it is represented as a rule on a finite subset \(U_P\subset \mathscr {U}\) of units, that is a nonintersecting union \(U_P=U^_P\cup U^+_P\cup U^0_P\) of the next subsets:

\(U^_P\): the set of units that P deletes.

\(U^+_P\): the set of units that P creates.

\(U^0_P\): the set of units u the parameters \(\nu (u), \beta (u)\) of which are changed by P.
The descriptional complexity \(\Vert P\Vert \) of P is the sum of the sizes of \(U^_P, U^+_P, U^0_P\), i.e. \(\Vert P\Vert = \Vert U^_P\Vert +\Vert U^+_P\Vert +\Vert U^0_P\Vert \). The input complexity \(\Vert P\Vert _\textsf{in}\) of P is the sum of the sizes of \(U^_P, U^0_P\), i.e. \(\Vert P\Vert _\textsf{in} = \Vert U^_P\Vert +\Vert U^0_P\Vert \). For \(P=1_\mathscr {M}\), we have \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 0\), and vice versa, if \(\Vert P\Vert = 0\) for a payment P, then \(U^_P = U^+_P = U^0_P = \emptyset \), which means that P does not create/delete units nor changes the parameters of any units which means that \(P=1_\mathscr {M}\). In the following, we present three more examples of the complexities of payments:

Single bill transfer: A payment P that changes the bearer of a single unit u and does nothing else. In this case, \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 1\).

Account payment: A payment P that changes the values \(n_1, n_2\) of two units \(u_1\) and \(u_2\) to \(n'_1, n'_2\) so that \(n'_1 + n'_2 = n_1 + n_2\). In this case, \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2\).

UTXO payment: A payment P that deletes units \(u_1, \ldots , u_k\) with values \(n_1, \ldots , n_k\) and creates units \(u'_1, \ldots , u'_\ell \) with values \(n'_1, \ldots , n'_\ell \) so that \(n'_1 + \cdots + n'_\ell = n_1 + \cdots + n_k\). In this case, \(\Vert P\Vert = k+\ell \) and \(\Vert P\Vert _\textsf{in} = k\).
Definition 7
(Compositionirreducible payments) A payment P is reducible at a money distribution \(M\in \mathscr {M}\) if \(M\ne P(M)\) and there exists a nonredundant at M composition \(P_m\circ \cdots \circ P_1\) of payments with \(\Vert P_i\Vert <\Vert P\Vert \) for all \(i\in \{1,\ldots ,m\}\) such that
A payment P is compositionirreducible if no such composition exists for P at any money distribution M.
Theorem 1
The next payments P with \(\Vert P\Vert \le 2\) are compositionirreducible:

Zero creation—creates a unit with value 0, i.e. \(\Vert P\Vert = 1\) and \(\Vert P\Vert _\textsf{in} = 0\).

Zero deletion—deletes a unit with value 0, i.e. \(\Vert P\Vert = 1\) and \(\Vert P\Vert _\textsf{in} = 1\).

Single unit transfer—changes the bearer of one unit, i.e. \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 1\).

Transfer with recreation—deletes a unit u (with a nonzero value) and creates a new unit v with the same value, i.e. \(\Vert P\Vert = 2\) and \(\Vert P\Vert _\textsf{in} = 1\).

Two unit split—creates a new unit v (with nonzero value) and changes the parameters of another unit u (reduces the value by \(\nu (v)\), and possibly, changes the bearer), i.e. \(\Vert P\Vert = 2\) and \(\Vert P\Vert _\textsf{in} = 1\).

Two unit join—deletes a unit u (with nonzero value) and changes the parameters of another unit v (raises the value \(\nu (v)\) by \(\nu (u)\), and possibly, changes the bearer \(\beta (v)\)), i.e. \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2\).

Twounit swap—changes the values and possibly bearers of two units u, v, i.e. \(\Vert P\Vert = \Vert P\Vert _\textsf{in} = 2\).
Proof
First, we categorize all payments P with \(\Vert P\Vert = 1\). They are all compositionirreducible as the only payment with complexity 0 is the identity transformation 1. Let \(M\in \mathscr {M}\) be a money distribution such that \(M\ne P(M)\), which exists due to Lemma 3. There are three possibilities:

\(\Vert U^_P\Vert = 1\), \(\Vert U^+_P\Vert = \Vert U^0_P\Vert = 0\): This means that P just deletes a unit u and does nothing else. As P preserves total money, the value of u must be zero. Hence, P is a zerodeletion.

\(\Vert U^+_P\Vert = 1\), \(\Vert U^_P\Vert = \Vert U^0_P\Vert = 0\): This means that P just creates a unit u and does nothing else. As P preserves total money, the value of u must be zero. Hence, P is a zerocreation.

\(\Vert U^0_P\Vert = 1\), \(\Vert U^+_P\Vert = \Vert U^_P\Vert = 0\): This means that P does not create/delete units but changes the parameters of a single unit u. As P preserves total money, it cannot change the value of u. Hence, P is a singleunit transfer.
Secondly, we categorize all payments P with \(\Vert P\Vert = 2\). There are the following possibilities:

\(\Vert U^0_P\Vert = 0\), \(\Vert U^_P\Vert = \Vert U^+_P\Vert = 1\): This means that P deletes a unit u and creates another unit v. As P preserves total money, u and v have the same value. The value must be nonzero, because otherwise P acts on M as a composition of a zerodeletion and a zerocreation. Hence, P is a transfer with recreation. Obviously, P is compositionirreducible, because the creation and deletion operations are not payments.

\(\Vert U^_P\Vert = 0\), \(\Vert U^+_P\Vert = \Vert U^0_P\Vert = 1\): This means that P creates a unit and changes the parameters of another unit. The created unit must have nonzero value, because otherwise P acts on M as a composition of a zero creation and a single unit transfer. Hence, P is a two unit split and is compositionirreducible because the creation of a unit and changing the value of a unit are not payments.

\(\Vert U^+_P\Vert = 0\), \(\Vert U^_P\Vert = \Vert U^0_P\Vert = 1\): This means that P deletes a unit and changes the parameters of another unit. The deleted unit must have nonzero value, because otherwise P acts as a composition of a zero deletion and a single unit transfer. Hence, P is a two unit join.

\(\Vert U^0_P\Vert = 2\), \(\Vert U^_P\Vert = \Vert U^+_P\Vert = 0\): This means that P changes the parameters of two units. We have two subcases:

If P changes the values of the units, then P is a twounit swap.

If P does not change the values of the units but only their bearers, then P acts on M as a composition of two singleunit transfers and is not compositionirreducible.


\(\Vert U^_P\Vert = 2\), \(\Vert U^0_P\Vert = \Vert U^+_P\Vert = 0\): This means that P deletes two units and does nothing else. In this case, P acts on M as a composition of two zerodeletions and is not compositionirreducible.

\(\Vert U^+_P\Vert = 2\), \(\Vert U^0_P\Vert = \Vert U^_P\Vert = 0\): This means that P creates two units and does nothing else. In this case, P acts on M as a composition of two zerocreations and is not compositionirreducible.
\(\square \)
Corollary 2
Every payment P with \(\Vert P_i\Vert \le 2\) acts on any money distribution M either as 1, a compositionirreducible payment, or a composition \(P_2\circ P_1\) of two compositionirreducible payments \(P_1,P_2\) with \(\Vert P_1\Vert =\Vert P_2\Vert =1\).
We will show next that every payment P acts on every money distribution M as a nonredundant at M composition of payments \(P_i\) with \(\Vert P_i\Vert \le 2\), and hence, these seven payment types listed by Theorem 1 are the only existing compositionirreducible payments.
Definition 8
(Valueinvariant compositions) A finite composition P of payments is valueinvariant at a money distribution M if when applied to M it does not create or delete units u with the value \(\nu (u)>0\), neither it changes the value of any unit.
It is easy to see that for every composition of payments P that is valueinvariant at M, there are payments \(P_1, \ldots , P_m\) all being either zerocreations, zerodeletions, or singleunit transfers, such that \(P(M)=(P_m\circ \cdots \circ P_1)(M)\) is a composition that is nonredundant at M.
Theorem 3
For every finite composition P of payments and for every money distribution M such that \(M\ne P(M)\) there exists a composition \(P_m\circ \cdots \circ P_1\) of payments \(P_i\) with \(\Vert P_i\Vert \le 2\) that is nonredundant at M such that \(P(M) = (P_m\circ \cdots \circ P_1)(M)\).
Proof
Let P be any composition of payments and M be a money distribution such that \(M\ne P(M)\). We use induction on the number n of units the value of which is changed by P. If \(n=0\), then P is valueinvariant at M and the statement of the theorem follows from the observation that P is a nonredundant composition of zerocreations, zerodeletions, and singleunit transfers, and the descriptional complexity of all these three types of payments is 1.
Assume that \(n>0\) and the statement of the theorem holds for smaller values of n. Hence, P is not valueinvariant at M, and u is a unit the value of which is changed by the amount \(d>0\). We also take into account the cases where u is created or deleted by P. We choose u in a way that d is minimal. Because of the money invariant and the minimality of d, there must be a unit v the value of which is changed (by P) by the amount of \(d'\ge d\) but to the opposite direction compared to u.
Let \(P_1\) be a payment that only changes the values of u and v by d and to the same direction as P. For example, if P creates u and reduces the value of v by \(d'\), then \(P_1\) also creates u but reduces the value of v only by d. The descriptional complexity of \(P_1\) is \(\Vert P_1\Vert \le 2\). Note also that the composition \(P\circ P_1^{1}\) of payments changes the value of a less number of units in \(M'=P_1(M)\) compared to how many values P changes on M as \(P\circ P_1^{1}\) does not change the value of u. If \(P_1(M)=(P\circ P_1^{1})(P_1(M))\), then
and the statement holds. If \(P_1(M)\ne (P\circ P_1^{1})(P_1(M))\) then we can apply the induction step, i.e. there is a nonredundant (at \(P_1(M)\)) composition \(P_{m}\circ \cdots \circ P_2\) of payments with descriptional complexity \(\Vert P_i\Vert \le 2\), such that
and as \(M\ne P_1(M)\), the composition \(P_m\circ \cdots \circ P_1\) is nonredundant at M. \(\square \)
Corollary 4
For every payment P and for every \(M\in \mathscr {M}\) there exist compositionirreducible payments \(P_1, \ldots , P_m\) such that
Proof
Direct implication from Theorem 1, Corollary 2, and Theorem 3. \(\square \)
Implementations of Money Schemes
Money schemes are special cases of transition systems. Every transition system is a pair (S, T), where S is the set of states and T is a set of state transitions (functions of type \(S\rightarrow S\)) that contains the identity transition \(1_S\) (sometimes denoted simply by 1) defined by \(1_S(s)=s\) for every \(s\in S\). Transition systems are equivalent to state machines and in this paper we refer to them simply as machines. This is motivated by modelling machineimplementations of money schemes. For any transition system (S, T), we denote by \(\overline{T}\) the set of all finite compositions \(t_1\circ \cdots \circ t_m\), where \(t_i\in T\).
Definition 9
(Implementation) A transition system (S, T) implements a money scheme \((\mathscr {M}, \mathscr {P})\) if (Fig. 1):

1.
There is a surjective interpretation map \(\pi :S\rightarrow \mathscr {M}\), i.e. every state s of the machine is interpreted as a money distribution \(M=\pi (s)\) (Fig. 1, left).

2.
For every payment \(P\in \mathscr {P}\) and every state \(s\in S\) interpreted as a money distribution \(M\in \mathscr {M}\) (i.e. \(\pi (s)=M\)) there is a transition \(t\in T\) such that the state \(s'=t(s)\) is interpreted as the money distribution P(M), i.e. \(\pi (s')=\pi (t(s)) = P(\pi (s)) = P(M)\) (Fig. 1, right).
A decomposition of a money scheme is an implementation of the money scheme with two machines, formally defined as follows:
Definition 10
(Decomposition) Transition systems \((S_1,T_1),(S_2,T_2)\) decompose a money scheme \((\mathscr {M}, \mathscr {P})\) if (Fig. 2):

1.
There is a surjective interpretation map \(\pi :S_1\times S_2\rightarrow \mathscr {M}\), i.e. every pair of states \(s_1\in S_1, s_2\in S_2\) of the machines is interpreted as a money distribution \(M=\pi (s_1,s_2)\) (Fig. 2, left).

2.
For every \(P\in \mathscr {P}\) and every pair of states \(s_1\in S_1, s_2\in S_2\) interpreted as a money distribution \(\pi (s_1,s_2)=M\in \mathscr {M}\) there exist \(t_1\in T_1, t_2\in T_2\) such that the pair of states \(s'_1=t_1(s_1), s'_2 = t_2(s_2)\) is interpreted as the money distribution P(M), i.e. (Fig. 2, right)
$$\begin{aligned} \pi (s'_1,s'_2)=\pi (t_1(s_1),t_2(s_2)) = P(\pi (s_1,s_2)) = P(M). \end{aligned}$$
Decomposition of a money scheme can also be defined as an implementation of the money scheme by the direct product of the machines \((S_1,T_1),(S_2,T_2)\), which is defined as a machine (S, T), where \(S=S_1\times S_2\) and \(T=T_1\times T_2\) and for every \(t=(t_1,t_2)\in T_1\times T_2\) and \(s=(s_1,s_2)\) the new state \(s'=t(s)\) is defined by \(t(s) = (t_1(s_1), t_2(s_2))\).
From a more general viewpoint, all transition systems with identity transformations (machines) are objects of a category, in which the morphisms are defined as partial implementations (Definition 11).
Definition 11
(Partial implementation) A partial implementation of a machine \(M_2=(S_2,T_2)\) by a machine \(M_1=(S_1,T_1)\) is a function \(f:S_1\rightarrow S_2\) such that for every \(s_1\in S_1\) and every \(t_2\in T_2\), there is \(t_1\in T_1\) such that \(f(t_1(s_1)) = t_2(f(s_1))\).
As the identity map \(1_S:S\rightarrow S\) is a partial implementation of \(M=(S,T)\) by itself and the composition of two partial implementations is a partial implementation, we have a category structure. One can also show that the epimorphisms of this category are exactly the surjective partial implementations and the monomorphisms are exactly the injective partial implementations. The implementations in terms of Definition 9 (i.e. the interpretation maps \(\pi \)) are exactly the epimorphisms from machines to money schemes. However, the direct product of two machines is not always a product in terms of the category (see Appendix B for details).
Blockchain Implementations
By an evolution of a transition system (S, T) is a sequence
where \(s_0\in S\) is the initial state, \(t_1,t_2, \ldots , t_m\in T\) are transitions, and \(\tau _0<\tau _1<\tau _2< \cdots < \tau _m\) are real numbers interpreted as timestamps. The final state \(s'\) of the evolution is defined by \(s'=t_m(t_{m1}(\ldots t_1(s_0) \ldots ))\). Intuitively, evolution is a description of the execution of the transition system in time.
For securitycritical transition systems such as money schemes it is vital to store the evolution and protect its integrity with cryptography. Therefore, certificates \(C_0,C_1, C_2, \ldots , C_m\) to the evolution, so that the certified evolution
cannot be maliciously modified without making it cryptographically inconsistent. The certificates also prove the uniqueness of the certified evolution, i.e. it must convince the verifiers that there exist no alternative versions of the evolution.
What is also important for the verifiers is whether they see the whole evolution that includes all transition that have been executed so far, i.e. if verification happens at time \(\tau \), then also the fact that no transitions happened in between \(\tau _m\) and \(\tau \). This suggests a certification scheme, where transitions of the evolution are certified in batches (blocks) in a predetermined time schedule and the certified evolution being in the form:
where every block \(B_i\) represents a composition \(t^1_i\circ \cdots \circ t^{m_i}_i\) of transitions. Note that some blocks \(B_i\) may be empty and in this case, they represent the identity transition \(1_S\). Certified data structures in the form of (1) are called blockchains.
Blockchain implementation of a transition system (S, T) is a network of machines called a blockchain node that consists of three machines (Fig. 3):

File repository—stores certified blocks and, on request, provides applications with blockchain data.

Certifier—regularly (based on clock) creates block certificates based on a cryptographic hash of the block.

Transaction validator—receives transition orders from applications, verifies them using the current state \(s\in S\), combines transactions to blocks, obtains certificates from the certifier, and sends certified blocks to the file repository.
A blockchain implementation of a composed money scheme with two transition systems \((S_1,T_1)\) and \((S_2, T_2)\) is a network of machines called a sharded blockchain node (Fig. 4). It has two independent transaction validators that implement \((S_1,T_1)\) and \((S_2, T_2)\) and produce subblocks \(B^1\) and \(B^2\), respectively. It also has two file repositories, and a common certifier for both blocks. The blockchain produced by the first transaction validator is in the form:
where \(\Pi ^1_i\) denotes additional information (usually in the form of a hash chain) that helps to verify the blockchain against the certificate \(C_i\). Analogously, the blockchain produced by the second transaction validator is in the form:
For executing a payment P, two transaction orders \(t_1, t_2\) has to be sent to the two transaction validators (Fig. 4) and the validators include these transactions to the blocks \(B^1\) and \(B^2\), respectively.
Atomic Decomposition of Money Schemes
As the blocks have to be produced based on a fixed time schedule, there is a limited time for the validators to decide whether to include \(t_1\) and \(t_2\) to the blocks \(B^1\) and \(B^2\). Considering possible message loss and network delays between the transaction validators and applications, it is always possible that only one of the transactions \(t_1,t_2\) is received in time (considering the block creation schedule).
It is known that there exist no deterministic time protocols (executed between transaction validators) which ensure that either \(t_1\in B^1\) and \(t_2\in B^2\), or \(t_1\not \in B^1\) and \(t_2\not \in B^2\). Such a communication problem is often called the two generals problem. Therefore, it is possible that \(t_1\in B^1\) but \(t_2\not \in B^2\) and vice versa. In transition system terms, instead of executing \((t_1,t_2)\), either \((t_1,1)\) or \((1,t_2)\) is executed in the implementing machines.
If \((S_1,T_1), (S_2, T_2)\) represent a decomposition of a money scheme \((\mathscr {M}, \mathscr {P})\) and such errors cannot in principle be avoided, we can only ask how the partial transactions \((t_1,1),(1,t_2)\) are interpreted in the money scheme as changes of the money distribution. Do they preserve total money? Are they payments? If yes, are they in \(\mathscr {P}\)? If the current states are \(s_1\in S_1\) and \(s_2\in S_2\) and money distribution is \(M=\pi (s_1,s_2)\), then \(P(M)=\pi (t_1(s_1), t_2(s_2))\). The money distribution after applying the erroneous pair \((t_1,1)\) is \(M_1=\pi (t_1(s_1), s_2)\) and after applying \((1,t_2)\), the resulting money distribution is \(M_2=\pi (s_1, t_2(s_2))\).
The following definition of atomic decomposition (Definition 12, item 1) requires that there are at least payments \(P_1, P_2\in \mathscr {P}\) such that \(P_1(M)=M_1\) and \(P_2(M)=M_2\). In practical implementations, one may require some more. For example, that \(P_1,P_2\) represent partial payments, i.e. if a bearer b pays or receives money via P, then the same happens via \(P_1\) and \(P_2\) but possibly, the received/paid amount is smaller. We also require that independently acting on \((S_1,T_1), (S_2, T_2)\) with any pair of \(t_1\in T_1\), \(t_2\in T_2\) is always interpreted as a payment. Item 2 and item 3 of Definition 12 require that if we apply a transition t in just one component and this is interpreted as change the money distribution, then t also will change the money distribution independent of the state of the other component.
Definition 12
(Atomic decomposition) Transition systems \((S_1,T_1), (S_2, T_2)\) together with the interpretation map \(\pi \) represent an atomic decomposition of a money scheme \((\mathscr {M}, \mathscr {P})\) iff for every \(s_1\in S_1\), \(s_2\in S_2\), \(M=\pi (s_1,s_2)\), and \(t_1\in T_1\), \(t_2\in T_2\), there exists \(P\in \mathscr {P}\), such that \(P(M)=\pi (t_1(s_1),t_2(s_2))\), and for every such P, there exist \(P_1,P_2\in \mathscr {P}\) so that:

1.
\(P_1(M)=\pi (t_1(s_1), s_2)\) and \(P_2(M) =\pi (s_1, t_2(s_2))\).

2.
If \(P'_1\in \mathscr {P}\) and \(M\ne P'_1(M)=\pi (t_1(s_1),s_2)\), then for every \(s''_2\in S_2\):
$$\begin{aligned} \pi (s_1,s''_2)\ne P'_1(\pi (s_1,s''_2))=\pi (t_1(s_1),s''_2). \end{aligned}$$ 
3.
If \(P'_2\in \mathscr {P}\) and \(M\ne P'_2(M)=\pi (s_1,t_2(s_2))\), then for every \(s''_1\in S_1\):
$$\begin{aligned} \pi (s''_1,s_2)\ne P'_2(\pi (s''_1,s_2))=\pi (s''_1,t_2(s_2)). \end{aligned}$$
If a money scheme \((\mathscr {M}, \mathscr {P})\) is decomposed by transition systems \((S_1,T_1), (S_2, T_2)\) and an interpretation map \(\pi :S_1\times S_2\rightarrow \mathscr {M}\), then in general, \((S_1,T_1)\) and \((S_2, T_2)\) do not necessarily represent money schemes. However, if such a decomposition is atomic, we can show that in some sense this is the case. We will show that it is possible to define two functions \(\sigma _1:S_1\times \mathscr {B}\rightarrow \mathbb {N}\) and \(\sigma _2:S_2\times \mathscr {B}\rightarrow \mathbb {N}\) so that given a bearer \(b\in \mathscr {B}\) and states \(s_1\in S_1\), \(s_2\in S_2\), the values \(\sigma _1(s_1,b)\) and \(\sigma _2(s_2,b)\) will show how much money b has in \(S_1\) and \(S_2\), respectively. We also show that for \(M=\pi (s_1,s_2)\)
i.e. the total money b owns in the money scheme is the sum of money b holds in \(s_1\) and the money b holds in \(s_2\). Moreover, we show that the values \(\sigma _1(s_1) = \sum _{b\in \mathscr {B}}\sigma _1(s_1,b)\) and \(\sigma _1(s_2) = \sum _{b\in \mathscr {B}}\sigma _2(s_2,b)\) are invariant under the payments of the money scheme and \(\sigma (M) = \sigma _1(s_1) + \sigma _2(s_2)\). This implies, that in an atomically decomposed money scheme there is no transfer of value from one component to another.
We define the money \(\sigma _1(s_1,b)\) the bearer b owns in the first system as the largest amount of money b can pay using a sequence of transitions of type \((t_1,1)\), and analogously, the money \(\sigma _2(s_2,b)\) the bearer b has in the second system as the largest amount of money b can pay using a sequence of transitions of type \((1, t_2)\).
Definition 13
(Functions \(\sigma _1\), \(\sigma _2\)) For any states \(s_1\in S_1\), \(s_2\in S_2\), and a bearer \(b\in \mathscr {B}\):

\(\sigma _1(s_1,b)\) is the largest number \(n_1\in \mathbb {N}\) such that there is \(t_1\in \overline{T}_1\) such that \(\sigma (\pi (s_1,s_2),b)  \sigma (\pi (t_1(s_1),s_2),b) = n_1\).

\(\sigma _2(s_2,b)\) is the largest number \(n_2\in \mathbb {N}\) such that there is \(t_2\in \overline{T}_2\) such that \(\sigma (\pi (s_1,s_2),b)  \sigma (\pi (s_1,t_2(s_2)),b) = n_2\).

\(\sigma _1(s_1)\) is the sum \(\sum _{b\in \mathscr {B}} \sigma _1(s_1,b)\).

\(\sigma _2(s_2)\) is the sum \(\sum _{b\in \mathscr {B}} \sigma _2(s_2,b)\).
Lemma 5
The value of \(\sigma _1(s_1,b)\) does not depend on \(s_2\) neither \(\sigma _2(s_2,b)\) on \(s_1\).
Proof
If \(\sigma _1(s_1,b)=0\) for every state \(s_2\), then the statement is trivially true. Let \(t_1=t^m_1\circ \cdots \circ t^1_1\in \overline{T}_1\) and \(s_2\) be a state such that
Let \(s^0_1,s^1_1, \ldots , s^m_1\in S_1\) be a sequence of states such that \(s^0_1 = s_1\) and \(s^{i}_1 = t^i_1(s^{i1}_1)\) for every \(i\in \{1, \ldots , m\}\). Hence, by applying telescoping to (2):
We can assume without loss of generality that \(\pi (t^i_1(s^{i1}_1),s_2)\ne \pi (s^{i1}_1,s_2)\), because otherwise we can just omit such \(t^i_1\) from \(t_1\). Let \(M_{i1} = \pi (s^{i1}_1,s_2)\). By atomicity (Definition 12, item 1), there exists \(P^i_1\in \mathscr {P}\) such that \(M_{i1}\ne P^i_1(M_{i1}) = \pi (t^i_1(s^{i1}_1),s_2)\), and therefore, \(\sigma (\pi (s^{i1}_1,s_2),b)  \sigma (\pi (t^i_1(s^{i1}_1),s_2),b)=\Delta _{P^i_1}(M_{i1},b)\). Let \(s'_2\in S_2\) be any state and let \(M'_{i1}=\pi (s^{i1}_1, s'_2)\). By atomicity (Definition 12, item 2), \(M'_{i1}\ne P^i_1(M'_{i1}) = \pi (t^i_1(s^{i1}_1),s'_2)\) and hence, by the uniformity of amount (Lemma 4), \(\Delta _{P^i_1}(M_{i1},b) = \Delta _{P^i_1}(M'_{i1},b) = \sigma (\pi (s^{i1}_1,s'_2),b)  \sigma (\pi (t^i_1(s^{i1}_1),s'_2),b)\). Therefore:
The proof for \(\sigma _2(s_2,b)\) is similar, by using atomicity (Definition 12, item 3). \(\square \)
Theorem 5
If \((S_1,T_1)\) and \((S_2,T_2)\) with interpretation map \(\pi \) atomically decompose a money scheme \((\mathscr {M}, \mathscr {P})\) with the bearer set \(\mathscr {B}\), then for every \(s_1\in S_1, s_2\in S_2\), \(M=\pi (s_1,s_2)\in \mathscr {M}\) and \(b\in \mathscr {B}\):
Proof
Due to the accessibility of money (Definition 5), there is \(P=P^m\circ \cdots \circ P^1\in \overline{\mathscr {P}}\) such that \(\sigma (P(M), b)=0\). Let \(M_0,M_1,\ldots , M_m\in \mathscr {M}\) be a sequence of money distributions such that \(M_0=M\), and \(M_i=P^i(M_{i1})\) for every \(i\in \{1, \ldots , m\}\). Let \(s^0_1,s^1_1, \ldots , s^m_1\in S_1\) and \(s^0_2,s^1_2, \ldots , s^m_2\in S_2\) be sequences of states such that \(M_i=\pi (s^i_1,s^i_2)\) for every \(i\in \{1, \ldots , m\}\). Due to decomposition, there exist \(t^i_1\in T_1\) and \(t^i_2\in T_2\) such that \(s^i_1 = t^i_1(s^{i1}_2)\) and \(s^i_2 = t^i_2(s^{i1}_2)\). Let \(t_1=t^m_1\circ \ldots \circ t^1_1\in \overline{T}_1\) and \(t_2=t^m_2\circ \ldots \circ t^1_2\in \overline{T}_2\). Therefore, \(P(M)=P(\pi (s_1,s_2))=\pi (t_1(s_1),t_2(s_2))\). Hence, by Lemma 5:
To prove the dual inequality, choose \(t_1=t^{m_1}_1\circ \ldots \circ t^1_1\in \overline{T}_1\) and \(t_2=t^{m_2}_2\circ \ldots \circ t^1_2 \in \overline{T}_2\) so that
where in the second equation, we use Lemma 5. Let \(s^0_1,s^1_1, \ldots , s^{m_1}_1\in S_1\) be a sequence of states such that \(s^0_1 = s_1\) and \(s^i_1 = t^i_1(s^{i1}_1)\), for every \(i\in \{1,\ldots ,m_1\}\); and let \(s^0_2,s^1_2, \ldots , s^{m_2}_2\in S_2\) be a sequence of states such that \(s^0_2 = s_2\) and \(s^j_2 = t^j_2(s^{j1}_2)\), for every \(j\in \{1,\ldots ,m_2\}\). Due to atomicity (Definition 12, item 1), for every \(i\in \{1,\ldots , m_1\}\), there exists \(P^i_1\in \mathscr {P}\) such that \(P^i_1(\pi (s^{i1}_1, s_2)) = \pi (s^i_1, s_2)\); and for every \(j\in \{1,\ldots , m_2\}\), there exists \(P^j_2\in \mathscr {P}\) such that \(P^j_2(\pi (t_1(s_1), s^{j1}_2)) = \pi (t_1(s_1), s^j_2)\). Hence, \(P=P^{m_2}\circ \ldots \circ P^1_2\circ P^{m_1}_1\circ \ldots \circ P^{1}_1\in \mathscr {P}\) satisfies \(P(M) = P(\pi (s_1,s_2)) = \pi (t_1(s_1),t_2(s_2))\). Therefore:
\(\square \)
Theorem 6
If \((S_1,T_1)\), \((S_2,T_2)\) with interpretation map \(\pi \) atomically decompose a money scheme \((\mathscr {M}, \mathscr {P})\) with the bearer set \(\mathscr {B}\), then \(\sigma (M) = \sigma _1(s_1) + \sigma _2(s_2)\) for \(M=\pi (s_1,s_2)\), and \(\sigma _1(s_1)\) and \(\sigma _1(s_2)\) are invariant under any \(P\in \mathscr {P}\).
Proof
The first claim directly follows from Theorem 5:
Let \(s_1\in S_1\), \(s_2\in S_2\), \(t_1\in T_1\) and \(t_2\in T_2\). By atomicity (Definition 12, item 1), there exists \(P_1\in \mathscr {P}\) such that \(P_1(M)=\pi (t_1(s_1), s_2)\). Hence,
and as \(\sigma (P_1(M))=\sigma (M)\), we conclude by combining (3) and (4) that
If \(P\in \mathscr {P}\) is any payment, then by atomicity (Definition 12), there exist \(t_1\in T_1\) and \(t_2\in T_2\) such that \(P(M)=\pi (t_1(s_1),t_2(s_2))\). Hence, in the pair \((t_1(s_1),t_2(s_2))\) of states interpreted as P(M), the value of \(\sigma _1\) is \(\sigma _1(t_1(s_1))=\sum _{b\in \mathscr {B}} \sigma _1(t_1(s_1),b) = \sum _{b\in \mathscr {B}} \sigma _1(s_1,b) = \sigma _1(s_1)\). The invariance of \(\sigma _2(s_2)\) is proved analogously. \(\square \)
For example, Theorem 6 implies that there exist no atomic decompositions of the full account scheme that allows payments between any two accounts such that \((S_1,T_1)\) handles one subset of accounts and \((S_2,T_2)\) handles other accounts, because there is no possibility to pay from an account handled by \((S_1,T_1)\) to an account handled by \((S_2,T_2)\). Otherwise, the values \(\sigma _1(s_1)\) and \(\sigma _2(s_2)\) would change. In “Unitwise Decompositions of Money Schemes”, we take a more general approach to such unitwise decompositions of any money scheme.
Unitwise Decompositions of Money Schemes
In this section, we study a special type of decompositions of money schemes, where the unit set is divided into two subsets that are handled by two separate machines. In “Notations and definition, we give a formal definition for such decompositions, derive some theoretical results in “Theoretical results about unitwise decompositions”, and draw some conclusions in “Theoretical results about unitwise decompositions”.
Notations and Definition
Let the universe \(\mathscr {U}\) of potential units be split into two nonintersecting subsets \(\mathscr {U}_1\) and \(\mathscr {U}_2\). We assume that \(\mathscr {U}_1\), \(\mathscr {U}_2\) are infinite. For a money distribution \(M=(U,\nu ,\beta )\) let \(M_{\mathscr {U}_1}\) and \(M_{\mathscr {U}_2}\) be money distributions such that:
where by \(\nu _{\mathscr {U}_1}\) is the restriction of \(\nu \) to \(\mathscr {U}_1\), i.e. a function \(\nu _{\mathscr {U}_1}:U\cap \mathscr {U}_1\rightarrow \mathbb {N}\) so that \(\nu _{\mathscr {U}_1}(u) = \nu (u)\) for every \(u\in U\cap \mathscr {U}_1\). For any money distributions \(M_1 = \{U_1,\nu _1,\beta _1\}\) with \(U_1\subset \mathscr {U}_1\) and \(M_2 = \{U_2,\nu _2,\beta _2\}\) with \(U_2\subset \mathscr {U}_2\) we define a money distribution \(M_1\oplus M_2\) as follows:
where \(\nu =\nu _1\cup \nu _2\) is a function such that \(\nu (u) = \nu _1(u)\) if \(u\in \mathscr {U}_1\) and \(\nu (u)=\nu _2(u)\) otherwise. The function \(\beta =\beta _1\cup \beta _2\) is defined similarly. Note that
for any money distributions \(M, M_1, M_2\). For any set \(\mathscr {M}\) of money distributions, we define subsets \(\mathscr {M}_{\mathscr {U}_1}\) and \(\mathscr {M}_{\mathscr {U}_2}\) as follows:
For every money transformation P on \(\mathscr {M}\), we define money transformations \(P_{\mathscr {U}_1}\) on \(\mathscr {M}_{\mathscr {U}_1}\) and \(P_{\mathscr {U}_2}\) on \(\mathscr {M}_{\mathscr {U}_2}\) as follows:

\(P_{\mathscr {U}_1}\) acts on the units of \(\mathscr {U}_1\) in the same way as P, except that it does nothing with the units of \(\mathscr {U}_2\).

\(P_{\mathscr {U}_2}\) acts on the units of \(\mathscr {U}_2\) in the same way as P, except that it does nothing with the units of \(\mathscr {U}_1\).
It is easy to see that for every money distribution M and for every money transformation P such that \(M\ne P(M)\):
Note that \(P=P_{\mathscr {U}_1}\oplus P_{\mathscr {U}_2}\) for every money transformation P.
Definition 14
If transition systems \((S_1,T_1), (S_2,T_2)\) with interpretation map \(\pi \) decompose a money scheme \((\mathscr {M}, \mathscr {P})\), then we say that such a decomposition is unitwise decomposition relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\) if

Every \(s_1=(U_1,\nu _1, \beta _1)\in S_1\) is a money distribution, where \(U_1\subset \mathscr {U}_1\) and every \(t_1\in T_1\) is a money transformation on \(S_1\).

Every \(s_2=(U_2, \nu _2, \beta _2)\in S_2\) is a money distribution, where \(U_2\subset \mathscr {U}_2\) and every \(t_2\in T_2\) is a money transformation on \(S_2\).

\(\pi (s_1,s_2)=s_1\oplus s_1=(U_1\cup U_2, \nu _1\cup \nu _2, \beta _1\cup \beta _2)\) for every \(s_1=(U_1,\nu _1, \beta _1)\in S_1\) and \(s_2=(U_2, \nu _2, \beta _2)\in S_2\). The map \(\pi \) is surjective because of (6).
Theoretical Results about Unitwise Decompositions
First, it turns out (Theorem 7) that every money scheme has a canonical unitwise decomposition relative to any \(\mathscr {U}_1, \mathscr {U}_2\). We call such a decomposition the natural decomposition. Therefore, the existence of decompositions tells nothing special about a money scheme. A more interesting question is when the natural decomposition is atomic in terms of Definition 12. Theorem 8 gives necessary and sufficient conditions for that in terms of the structure of the money scheme.
Sometimes in practical implementations it might be sufficient that a money scheme \((\mathscr {M}, \mathscr {P})\) is just a subscheme of a money scheme \((\mathscr {M}, \mathscr {P}')\) the natural decomposition of which is atomic. Theorem 9 gives necessary and sufficient conditions for that in terms of the algebraic structure of the payments \(P\in \mathscr {P}\)—their representations via compositionirreducible payments.
Theorem 7
For every money scheme \((\mathscr {M}, \mathscr {P})\), there exists a unitwise decomposition (called the natural decomposition) relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\).
Proof
Let \(S_1 = \mathscr {M}_{\mathscr {U}_1}\), \(S_2 = \mathscr {M}_{\mathscr {U}_2}\), \(T_1=\{P_{\mathscr {U}_1}:P\in \mathscr {P}\}\), \(T_2=\{P_{\mathscr {U}_2}:P\in \mathscr {P}\}\), and \(\pi \) be defined as in Definition 14. Note that if \(P\in P\), then \(P_{\mathscr {U}_1}\) and \(P_{\mathscr {U}_2}\) are money transformations, but not necessarily payments. This is indeed a decomposition in terms of Definition 10, because:

1.
If \(s_1=M_{\mathscr {U}_1}\in S_1\) and \(s_2=M'_{\mathscr {U}_2}\in S_2\) with \(M,M'\in \mathscr {M}\), then \(\pi (s_1,s_2)=s_1\oplus s_2\) is a money distribution, and hence, item 1 of Definition 10 is satisfied.

2.
Let \(P\in \mathscr {P}\), \(s_1=(U_1,\nu _1, \beta _1)\in S_1\), \(s_2=(U_2, \nu _2, \beta _2)\in S_2\), and \(M=\pi (s_1,s_2)\). If \(M\ne P(M)\), then let \(t_1=P_{\mathscr {U}_1}\) and \(t_2=P_{\mathscr {U}_2}\). Therefore, by applying (8) and (7):
$$\begin{aligned} P(M)= & \, P_{\mathscr {U}_1}(M_{\mathscr {U}_1}) \oplus P_{\mathscr {U}_2}(M_{\mathscr {U}_2})\\= & \, P_{\mathscr {U}_1}((s_1\oplus s_2)_{\mathscr {U}_1}) \oplus P_{\mathscr {U}_2}((s_1\oplus s_2)_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),t_2(s_2)) \end{aligned}$$If \(M=P(M)\), then for \(t_1=t_2=1\):
$$\begin{aligned} P(M) = M = \pi (s_1,s_2)=\pi (t_1(s_1),t_2(s_2)), \end{aligned}$$and hence, item 2 of Definition 10 is satisfied.
\(\square \)
Theorem 8
The natural decomposition of a money scheme \((\mathscr {M}, \mathscr {P})\) relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\) is atomic, if and only if \(P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}\in \mathscr {P}\) for every \(P',P''\in \mathscr {P}\).
Proof
First, we show the ifpart, i.e. assume that \(P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}\in \mathscr {P}\) for every \(P',P''\in \mathscr {P}\), and prove that the natural decomposition is atomic in terms of Definition 12.

Let \(s_1=M'_{\mathscr {U}_1}\in S_1=\mathscr {M}_{\mathscr {U}_1}\), \(s_2=M''_{\mathscr {U}_2}\in S_2 = \mathscr {M}_{\mathscr {U}_2}\) with \(M',M''\in \mathscr {M}\), be any states, \(M=\pi (s_1,s_2)=s_1\oplus s_2\), and \(t_1=P'_{\mathscr {U}_1}\in T_1\), \(t_2=P''_{\mathscr {U}_2}\in T_2\) be any transitions. Then \(P=P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}\in \mathscr {P}\).

If \(M\ne P(M)\), then:
$$\begin{aligned} P(M)= & \, P_{\mathscr {U}_1}(M_{\mathscr {U}_1}) \oplus P_{\mathscr {U}_2}(M_{\mathscr {U}_2}) = P_{\mathscr {U}_1}(M'_{\mathscr {U}_1}) \oplus P_{\mathscr {U}_2}(M''_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),t_2(s_2)). \end{aligned}$$ 
If \(M=P(M)\), then also \(t_1(s_1)=P'_{\mathscr {U}_1}(M'_{\mathscr {U}_1})=M'_{\mathscr {U}_1}=s_1\), and \(t_2(s_2)=P''_{\mathscr {U}_2}(M''_{\mathscr {U}_2})=M''_{\mathscr {U}_2}=s_2\). Therefore
$$\begin{aligned} P(M) = M = \pi (s_1, s_2) = \pi (t_1(s_1),t_2(s_2)). \end{aligned}$$


If \(P\in \mathscr {P}\) is a payment such that \(P(M)=\pi (t_1(s_1), t_2(s_2))\), then by assumption \(P_1=P'_{\mathscr {U}_1}\oplus 1, P_2=1\oplus P''_{\mathscr {U}_2}\in \mathscr {P}\).

If \(M\ne P_1(M)\), then:
$$\begin{aligned} P_1(M)= & \, P_1_{\mathscr {U}_1}(M_{\mathscr {U}_1}) \oplus P_1_{\mathscr {U}_2}(M_{\mathscr {U}_2}) = \pi (P'_{\mathscr {U}_1}(M'_{\mathscr {U}_1}), M''_{\mathscr {U}_2})\\= & \, \pi (t_1(s_1),s_2) \end{aligned}$$ 
If \(M=P_1(M)\), then also \(t_1(s_1)=P'_{\mathscr {U}_1}(M'_{\mathscr {U}_1})=M'_{\mathscr {U}_1}=s_1\), and hence, \(P_1(M)=M=\pi (s_1,s_2)=\pi (t_1(s_1), s_2)\).

If \(M\ne P_2(M)\), then:
$$\begin{aligned} P_2(M)= & \, P_2_{\mathscr {U}_1}(M_{\mathscr {U}_1}) \oplus P_2_{\mathscr {U}_2}(M_{\mathscr {U}_2}) = \pi (M''_{\mathscr {U}_1}, P''_{\mathscr {U}_2}(M''_{\mathscr {U}_2})) \\= & \, \pi (s_1,t_2(s_2)) \end{aligned}$$ 
If \(M=P_2(M)\), then also \(t_2(s_2)=P''_{\mathscr {U}_2}(M''_{\mathscr {U}_2})=M''_{\mathscr {U}_2}=s_2\), and hence, \(P_2(M)=M=\pi (s_1,s_2)=\pi (s_1, t_2(s_2))\).

Hence, the item 1 of Definition 12 holds.
Let \(P'_1\in \mathscr {P}\) and \(M\ne P'_1(M) = \pi (t_1(s_1), s_2)\) for a \(t_1=P_{\mathscr {U}_1}\) for some \(P\in \mathscr {P}\). Hence, \(P'_1(M) = P_{\mathscr {U}_1} (M_{\mathscr {U}_1}) \oplus M_{\mathscr {U}_2}= (P_{\mathscr {U}_1}\oplus 1)(M) = t_1(s_1)\oplus 1\). As \(t_1\oplus 1=P_{\mathscr {U}_1}\oplus 1\in \mathscr {P}\) is also a money transformation, it implies by Lemma 2 that \(P'_1=t_1\oplus 1\). As for every \(s''_2\in S_2\) the money distribution \(M'=s_1\oplus s''_2\) differs from \(M=s_1\oplus s_2\) only by the elements outside \(U_{P'_1}\), it follows from Lemma 1 that \(M'\ne P'_1(M') = t_1(s_1)\oplus s''_2\). Hence, the item 2 of Definition 12 holds. The item 3 of Definition 12 is proved similarly.
To prove the only if part, assume that the natural decomposition is atomic. Let \(P',P''\in \mathscr {P}\). If \(P'_{\mathscr {U}_1}\oplus P'_{\mathscr {U}_1} = 1\), then it is an element of \(\mathscr {P}\) by definition (Definition 5). If \(P'_{\mathscr {U}_1}\oplus P'_{\mathscr {U}_1} \ne 1\), and \(s_1\in S_1, s_2\in S_2\) are states such that \(s_1\oplus s_2\ne P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}(s_1\oplus s_2)\), then by taking \(t_1=P'_{\mathscr {U}_1}\in T_1\) and \(t_2=P''_{\mathscr {U}_2}\in T_2\), it follows from the atomicity (Definition 12) that there exists \(P\in \mathscr {P}\) such that \(P(s_1\oplus s_2) = t_1(s_1)\oplus t_2(s_2)\). Hence,
which by Lemma 2 implies \(P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}=P\in \mathscr {P}\). \(\square \)
Definition 15
(Subdecomposable money scheme) A money scheme \((\mathscr {M},\mathscr {P})\) is subdecomposable relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\) if \(\mathscr {P}\subseteq \mathscr {P}'\) for a money scheme \((\mathscr {M},\mathscr {P}')\) the natural decomposition of which is atomic relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\).
Theorem 9
A money scheme \((\mathscr {M}, \mathscr {P})\) is subdecomposable relative to \(\mathscr {U}_1\) and \(\mathscr {U}_2\) if and only if for every \(P\in \mathscr {P}\) and every \(M\in \mathscr {M}\) with \(M\ne P(M)\) there is a composition \(P_1\circ \cdots \circ P_m\) (nonredundant at M) of compositionirreducible payments \(P_i\) such that \(P_i_{\mathscr {U}_1}, P_i_{\mathscr {U}_2}\in \{1,P_i\}\) for every \(i\in \{1,\ldots ,m\}\) and \(P(M) = (P_1\circ \cdots \circ P_m)(M)\).
Proof
Assume that for every \(P\in \mathscr {P}\) and \(M\in \mathscr {M}\) with \(M\ne P(M)\) there is such a composition \(P(M)=(P_1\circ \cdots \circ P_m)(M)\). Note that for every \(i\in \{1,\ldots ,m\}\), either

\(P_i_{\mathscr {U}_1} = P_i\) and \(P_i_{\mathscr {U}_2}=1\), and these \(P_i\) are called payments of the first type, or

\(P_i_{\mathscr {U}_2} = P_i\) and \(P_i_{\mathscr {U}_1}=1\), and these \(P_i\) are called payments of the second type.
As \(P_i\circ P_j = P_j\circ P_i\) for every \(P_i\) of the first type and \(P_j\) of the second type, we can assume without loss of generality that \(P_1, \ldots , P_k\) are of first type and \(P_{k+1}, \ldots , P_m\) are of second type. It is easy to see that
Therefore, \(P_{\mathscr {U}_1}\) and \(P_{\mathscr {U}_2}\) act on any M as compositions of payments and hence, preserve \(\sigma (M)\). Moreover, as P is a money transformation, also \(P_{\mathscr {U}_1}\) and \(P_{\mathscr {U}_2}\) are money transformations, and as they preserve \(\sigma (M)\) they are payments.
Let \(\mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\supseteq \mathscr {P}\) be the set of all payments that have such compositions at every money distribution. We proved that, for every \(P\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\), also \(P_{\mathscr {U}_1}, P_{\mathscr {U}_2}\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\) Moreover, the payments in the composition of \(P_{\mathscr {U}_1}\) can be chosen to be of the first type, for \(P_{\mathscr {U}_2}\), of the second type.
Let \(P',P''\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\), \(M\in \mathscr {M}\) such that \(M\ne (P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2})(M)\), and \(M'=P'_{\mathscr {U}_1}(M)\). As also \(P'_{\mathscr {U}_1}, P''_{\mathscr {U}_2}\in \mathscr {P}'\), there are compositions
As \(P'_{\mathscr {U}_1}\) and \(P''_{\mathscr {U}_2}\) are payments, also \(P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}\) is a payment. Moreover
and therefore \(P'_{\mathscr {U}_1}\oplus P''_{\mathscr {U}_2}\in \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2}\). Hence, \((\mathscr {M}, \mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2})\) is a money scheme the natural decomposition of which is atomic by Theorem 8.
Assume now that there is a money scheme \((\mathscr {M}, \mathscr {P}')\) with \(\mathscr {P}\subseteq \mathscr {P}'\) the natural decomposition of which is atomic. Let \(P\in \mathscr {P}\) and \(M\ne P(M)\) for an \(M\in \mathscr {M}\). From Theorem 8 it follows that \(P_{\mathscr {U}_1}=P_{\mathscr {U}_1}\oplus 1\) and \(P_{\mathscr {U}_2}=1\oplus P_{\mathscr {U}_2}\) are payments in \(\mathscr {P}'\), and also \(P(M)=(P_{\mathscr {U}_1}\oplus P_{\mathscr {U}_2})(M)=(P_{\mathscr {U}_1}\circ P_{\mathscr {U}_2})(M)\) because of \(M\ne P(M)\). Let
be any compositions of \(P_{\mathscr {U}_1}\) on \(M'=(P_{\mathscr {U}_2})(M)\) and of \(P_{\mathscr {U}_2}\) on M into compositionirreducible payments \(P^i_j\) that exist due to Corollary 4. It is easy to see that these compositions can be chosen in a way that \(P^i_1\) do nothing with the units of \(\mathscr {U}_2\) and \(P^i_2\) do nothing with the units of \(\mathscr {U}_1\). Hence, \(P^i_1_{\mathscr {U}_1}=P^i_1\) and \(P^i_2_{\mathscr {U}_2}=P^i_2\). Therefore, \(P(M)=(P^{m_1}_1\circ \cdots \circ P^1_1\circ P^{m_2}_2\circ \cdots \circ P^1_2)(M)\) is a composition with the required properties. \(\square \)
Corollary 10
Every money scheme is subdecomposable relative to \(\mathscr {U}_1,\mathscr {U}_2\) if and only if it is a subscheme of \((\mathscr {M},\mathscr {P}^\textsf{uni}_{\mathscr {U}_1,\mathscr {U}_2})\).
Implications
If a compositionirreducible payment P is a zerocreation, a zerodeletion, or a single unit transfer, then \(P_{\mathscr {U}_1}, P_{\mathscr {U}_2}\in \{1,P\}\), because these payments only involve a single unit.
In practical implementations of money schemes, transfers with recreation and twounit splits can be organized in a way that the newly created units are always chosen in the same \(\mathscr {U}_i\), which guarantees that the condition \(P_{\mathscr {U}_1}, P_{\mathscr {U}_2}\in \{1,P\}\) holds.
The critical compositionirreducible payments for atomic decomposability are twounit joins and twounit swaps (the only compositionirreducible payments with input complexity \(\Vert P\Vert _\textsf{in}=2\)), where the condition \(P_{\mathscr {U}_1}, P_{\mathscr {U}_2}\in \{1,P\}\) does not hold if the two involved units are in different \(\mathscr {U}_i\). Therefore, the input complexity \(\Vert P\Vert _\textsf{in}\) (and not \(\Vert P\Vert \)) is critical for unitwise atomic decomposability. Some implications:

The complete account money scheme, where payments can be done between any two accounts are not subschemes of money schemes the natural decomposition of which is atomic, because the complete account scheme implements twounit swaps that involve any pair u, v of units.

The same is true for the complete UTXO money scheme, because it implements twounit joins that involve any pair u, v of UTXOs.

The bill money scheme itself has unitwise atomic decompositions, as single bill payments have complexity \(\Vert P\Vert _\textsf{in} = 1\).
Moreover, the bill money scheme enables total unitwise atomic decomposability where every bill u is maintained in a separate machine and in the blockchain setting in a separate transaction validator that produces the blockchain (ledger) of the bill u in the form:
where \(B^u_i\) is either empty or contains a single payment \(P^u_i\), and \(\Pi ^u_i\) denotes additional information (usually in the form of a hash chain) that helps to verify the blockchain against the certificate \(C_i\).
Security of Blockchain Implementations
In the so called permissionless blockchain systems new blocks are verified by thousands of nodes and erroneous blocks in the certified blockchain can be considered as almost impossible. However, permissionless systems tend to be more costly to manage and to have larger \(\textrm{CO}_2\) traces compared to permissioned blockchain systems where the number of redundant nodes is much smaller.
Hence, it is probably more efficient to implement Central Bank Digital Currency (CBDC) as a permissioned blockchain system, where new blocks are verified by just a few nodes. However, in this case, due to potential insider threats, erroneous blocks in the blockchain should be considered a possibility.
In the blockchain node (Fig. 3), the transaction validator together with the file repository are modelled as an adversarial entity that may deviate from ledger rules. Misbehavior of a node may be caused by internal attacks by malicious employees of system operators who may also be owners of money.
The practical goal of an attacker is to buy some goods by using falsified electronic cash, so that such a deception remains undetected for certain time sufficient for the attacker to escape. We assume covert adversaries [43, 44] that are considered successful only if their malicious behaviour remains undetected at least for some time. The Certifier (Fig. 3) is guaranteed to create a unique block certificate \(C_n\) for every block number n. Adversary has no control over the Certifier that is assumed to be controlled by the central bank.
We assume that a bill payment scheme is used in the CBDC blockchain solution, where every bill u has a bill ledger. At every payment with u, an audit protocol is executed to verify that the bill is properly used, i.e. all the ledger rules are fulfilled. In the sequel, we study two types of audit protocols:

1.
Full audit—guarantees that the ledger rules are followed.

2.
Probabilistic audit—guarantees that any deviation from ledger rules will be detected very soon with high probability.
Rules of a Bill Ledger
Let U be the set of all bills and \(\beta _0:U \rightarrow \mathscr {B}\) be a function that defines the initial owner \(\beta _0(u)\) of every bill \(u\in U\). We assume that both U and \(\beta _0\) are verifiably certified by Central Bank and cannot be altered by other parties. Every payment order is in the form \(P^u=\langle \iota , b, \lambda , s \rangle \), where \(\iota \) is a unique identifier of u, \(b\in B\) is the payee identifier, \(\lambda \) is a unique identifier of the payment order, and s is a signature of the payer. Every block \(B^u_n\) of the bill ledger
is either empty, or contains a payment order \(P^u_n=\langle \iota , b, \lambda , s \rangle \), where:

1.
\(\lambda = H(\iota , \beta _0(u))\) and s is the signature of \(\beta _0(u)\) if \(P^u_n\) is the first payment with u, where \(H:\{0,1\}^*\rightarrow \{0,1\}^k\) is a cryptographic hash function.

2.
\(\lambda = H(P^u_{n'})\) and s is the signature of \(b'\) if \(P^u_{n'}=\langle \iota , b', \lambda ', s' \rangle \) is the payment order contained in the last nonempty block \(B^u_{n'}\) in the sequence \(B^u_1, \ldots , B^u_{n1}\).
Hence, the blocks \(B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n2}, B^u_{n1}\) must be empty. The collisionresistance of H guarantees that \(\lambda \) is unique for every payment order.
The certificate \(C_n\) contains the block hash \(r_n\) and there is a function \(F^H\) that uses H as an oracle such that \(F^H(u; B^u_n, \Pi ^u_n)=r_n\), and If \(R^u\ne \underline{R}^u\) and \(F^H(u; B^u, \Pi ^u)=F^H(u; \underline{B}^u, \underline{\Pi }^u)\), then the computations of \(F^H\) contain either an Hcollision, or an Hpreimage of \(0^k\) – a bitstring X such that \(H(X)=0^k\). Both are assumed to be infeasible to find for practical hash functions.
User Side Full Audit
The main idea behind the full audit is that every user who has received u with a payment \(P^u_{n'}\) and later, at block \(n>n'\), uses u in a payment \(P^u_n\), verifies that the blocks \(B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n1}\) are empty (Fig. 5).
Full Audit Protocol
Assume that a user has a bill u paid to her with a payment order \(P^u_{n'}\) at block \(n'\), and that the user’s wallet already contains the certificates \(C_0, \ldots , C_{n'}\) that were already verified, the block \(B^u_{n'}\), and the proof \(\Pi ^u_{n'}\) which also has been verified.
In a block \(n>n'\), the user creates a block \(B^u_n\) with a new payment order \(P^u_n=\langle \iota , b, \lambda , s \rangle \), where \(\lambda =H(P^u_{n'})\) and sends it to the transaction validator. User then executes the following full audit protocol:

1.
User requests \(C_{n'+1}, \ldots , C_n\) and \(\Pi ^u_{n'+1}, \ldots , \Pi ^u_n\) from the file repository.

2.
User verifies \(C_{n'+1}, \ldots , C_n\).

3.
User verifies \(\Pi ^u_{n'+1}, \ldots , \Pi ^u_n\), assuming that \(B^u_{n'+1}, \ldots , B^u_{n1}\) are empty, i.e. for every \(i\in \{n'+1, \ldots , n1\}\) the user extracts the block hashes \(x_i\) from \(C_i\) and checks that \(F^H(u; \emptyset , \Pi ^u_i)=r_n\).
Security of the Full Audit
Ledger rules violation means inserting a block \(\overline{B}^u_i=\{P^u_i\}\) to the ledger, where \(P^u_i\) does not properly follow \(P^u_{n'}\), e.g. is not signed by \(P^u_{n'}.b\). If the full audit at n also verifies, then \(F^H(u; B^u_i, \Pi ^u_i) = r_n = F^H(u; \underline{B}^u_i, \underline{\Pi }^u_i)\) and there is a collision for H or an X such that \(H(X)=0^k\) (Fig. 6).
Communication Complexity of the Full Audit
Let N be the total number of bills. The size of a proof is \(k\cdot \log _2 N\) bits. As we need \(nn'\) proofs during the audit, the total number of bits communicated is \((nn')\cdot k\cdot \log _2 N\) which may be impractical if \(n\gg n'\). Using the probabilistic audit enables to reduce the communication complexity. The idea is that we check a random delement subset of \(B^u_{n'+1}, B^u_{n'+2}, \ldots , B^u_{n1}\). In the general case, with the bill ledger certification scheme that we described, such an audit is inefficient because the detection probability \(\delta \) of one single illegal block is about \(\frac{d}{nn'}\) which means that for a high \(\delta \) the number d of detected blocks must be close to \(nn'\). We show that proper ledger certification schemes enable to keep d small.
KSICash Bill Ledger
In this section, we describe the bill ledger certification scheme of the KSICash CBDC solution [1] enables efficient probabilistic audit protocols with d being a fixed constant that only depends on the required detection probability and not on the length \(nn'\) of the auditing interval.
Hash Chains
By a hash chain c we mean a (possibly empty) list \(\langle (b_1, y_1), (b_2, y_2), \ldots , (b_\ell , y_\ell ) \rangle \), where \(b_i\in \{0,1\}\) and \(y_i\in \{0,1\}^k\) for every \(i\in \{1, \ldots , \ell \}\). The bitstring \(b_1b_2\ldots b_\ell \) is called the shape of c. Every hash chain can be viewed as a function \(c:\{0,1\}^k\rightarrow \{0,1\}^k\) defined as follows:

1.
\(\langle \rangle (x) = x\) for every \(x\in \{0,1\}^k\), where \(\langle \rangle \) is the empty list

2.
\(\langle c\Vert (b,y)\rangle (x) = \left\{ \begin{array}{ll} H(c(x), y) &{} \text{ if } b=0\\ H(y, c(x)) &{} \text{ if } b=1 \end{array}, \right. \) where \(\langle c\Vert (b,y)\rangle \) denotes the list obtained from c by adding (b, y) as the last element.
The Idea of Probabilistic Audit
For every block \(B^u_n\), we define the ledger hash \(x_n\) that is a function of the previous ledger hash \(x_{n1}\) and the block \(B^u_n\). If \(B^u_n=\emptyset \), then \(x_{n+1}=x_{n}\). Hence, if \(B^u_{n'}=\{P^u_{n'}\}\) is the last nonempty block of u, and the current block number is \(n1\), then \(x_{n1} = x_{n2}=\ldots = x_{n'}\) if ledger is correctly formed. We say that the empty blocks \(n'+1, \ldots , n1\) are consistent with \(B^u_{n'}\).
Assume now that an illegal block \(B^u_{i}=\{P^u_i\}\) with \(n'<i<n1\) is added to the ledger (Fig. 7) with \(P^u_i.\lambda \ne H(P^u_{n'})\), i.e. \(P^u_i\) “doublespends" the bill u. Then \(x_{i}\ne x_{n'}\) and hence, each of the empty blocks \(B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n1}\) is either consistent with \(B^u_{n'}\) or with \(B^u_{i}\), but not with both. The empty blocks that are consistent with \(B^u_{n'}\) are called black blocks, and the empty blocks that are consistent with \(B^u_{i}\) are called white blocks. Hence, each of the blocks \(B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n1}\) is either black or white (Fig. 7).
The next payment \(P^u_n\) with u in the block \(B^u_n=\{P^u_n\}\) may either refer back to \(B^u_{n'}\) (i.e. \(P^u_{n}.\lambda = H(P^u_{n'})\)) or to \(B^u_{i}\) (i.e. \(P^u_{n}.\lambda = H(P^u_{i})\)). In the former case, during the audit protocol the blocks \(B^u_{i+1}, B^u_{i+2},\ldots , B^u_{n1}\) must be shown to be black, and in the latter case these blocks must be shown to be white. For randomly chosen \(j\leftarrow \{i+1, \ldots , n1\}\), either

The probability that \(B^u_j\) is consistent with \(B^u_{i}\) is \(\le \frac{1}{2}\)

The probability that \(B^u_j\) is consistent with \(B^u_{n'}\) is \(\le \frac{1}{2}\)
and hence, an audit with one randomly selected block \(B^u_j\) in at least one of the two cases succeeds with probability not larger than \(\frac{1}{2}\).
Proofs and Ledger Hashes in KSICash
For every \(n>0\), a proof \(\Pi ^u_{n}\) is a pair \((x_{n1}^u, c^u_n)\), where \(x^u_{i}\) is a ledger hash computed by the rules:

1.
\(x^u_0 = 0\)

2.
\(x^u_i = h_0(x^u_{i1}, h_D(R^u_{i}))\), where:

\(h_D(X) = H(X)\) if \(X\ne \emptyset \), and \(h_D(X) = 0\) if \(X=\emptyset \)

\(h_0(x,y) = H(x,y)\) if \(y\ne 0\), and \(h_0(x, y) = 0\) if \(y=0\)

and \(c^u_n\) is a hash chain with the shape special to u from \(x_n\) to the block hash \(r_n\) in \(C_n\), i.e. \(c^u_n(x_n)=r_n\). The function \(F_H\) is defined as follows:
Lemma 6 guarantees that two different nonempty blocks \(B^u_{n'}\) and \(B^u_{n''}\) must have different ledger hashes. If \(n'<n''<j\), then the ledger hash \(x_{j}\) cannot equal to both \(x_{n'}\) and \(x_{n''}\) and then by Lemma 7 (proved in [45]), if the block \(B^u_j\) is consistent with both \(B^u_{n'}\) and \(B^u_{n''}\), we have a collision for H.
Lemma 6
If \(\emptyset \ne B^u_{n'} \ne B^u_{n''}\ne \emptyset \), then either \(x^u_{n'} \ne x^u_{n''}\), or we have an explicit Hcollision or a bitstring X such that \(H(X)=0\).
Proof
If \(x^u_{n'} = x^u_{n''}\), then by definition \(h_0(x', h_D(B^u_{n'})) = h_0(x'', h_D(B^u_{n''}))\) for some \(x', x''\in \{0,1\}^k\), which by \(B^u_{n'}\ne \emptyset \) and \(B^u_{n''}\ne \emptyset \) implies \(h_0(x', H(B^u_{n'})) = h_0(x'', H(B^u_{n''}))\). If \(H(B^u_{n'})=0\) or \(H(B^u_{n''})=0\), then we can take \(X=B^u_{n'}\) or \(X=H(B^u_{n''})\) and have \(H(X)=0\). If \(H(B^u_{n'})\ne 0\ne H(B^u_{n''})\), then by definition of \(h_0\), we have \(H(x', H(B^u_{n'})) = H(x'', H(B^u_{n''}))\) and because of \(B^u_{n'} \ne B^u_{n''}\), we have a collision for H. \(\square \)
Lemma 7
If \(c^u, {\underline{c}}^u\) are two hash chains with the same uspecific shape, and \(c^u(x^u_{n'}) = \underline{c}^u (x^u_{n''})\) and \(x^u_{n'}\ne x^u_{n''}\), then we have an explicit Hcollision.
Proof
Let \(c^u=\langle (b_1, y_1), \ldots , (b_\ell , y_\ell ) \rangle \) and \({\underline{c}}^u=\langle (b_1, y'_1), \ldots , (b_\ell , y'_\ell ) \rangle \) be two hash chains of the same shape. We use induction on \(\ell \). If \(\ell = 0\), then \(c^u=\langle \rangle ={\underline{c}}^u\) and for every \(x^u_{n'}\ne x^u_{n''}\), we have \(c^u(x^u_{n'}) = x^u_{n'} \ne x^u_{n''}=\underline{c}^u (x^u_{n''})\) and hence, the induction basis trivially holds. Assume now that the statement holds for the chains of length \(\ell 1\), for example, for the chains \(c=\langle (b_1, y_1), \ldots , (b_{\ell 1}, y_{\ell 1})\) and \(c'=\langle (b_1, y'_1), \ldots , (b_{\ell 1}, y_{\ell 1})\). Hence, \(c^u=\langle c\Vert (b_\ell ,y_\ell )\rangle \) and \({\underline{c}}^u=\langle c'\Vert (b_\ell ,y'_\ell )\rangle \). If \(b_\ell = 1\), then it follows from \(c^u(x^u_{n'}) = \underline{c}^u (x^u_{n''})\) that
If \(c(x^u_{n'})\ne c'(x^u_{n''})\), then (9) represents a collision for H. If \(c(x^u_{n'})= c'(x^u_{n''})\), we apply the induction hypothesis to imply that the computations \(c(x^u_{n'})\), \(c'(x^u_{n''})\) contain an Hcollision. The proof for the case \(b_\ell = 0\) is similar. \(\square \)
KSI Cash Bill Ledger Implementation Case Study
Together with the European Central Bank and a group of eight national central banks from the Eurosystem, KSI Cash [1, 46,47,48,49] has been implemented as a proofofconcept to assess the technological feasibility of a digital euro.
The performance of the technology has been tested exhaustively. With these performance tests, we achieved:

15 thousand transactions per second, under simulation of realistic usage, with 100 million wallets,

up to 2 million payment orders per second, i.e., an equivalent of more than 300,000 transactions per second, in a laboratory setting with the central components of KSI Cash,

an estimated carbon footprint of 0.0001g CO2 per transaction (as compared to: Bitcoin = 100 kg and more [50,51,52]).
For an exhaustive report on the KSI Cash implementation, its data structures and performance test results, see [1].
User Side Probabilistic Audit in KSICash
User has a bill u paid to her with a payment order \(P^u_{n'}\) at block \(n'\). We assume that user wallet contains the certificates \(C_0, \ldots , C_{n'}\) that were already verified, the block \(B^u_{n'}\), and the proof \(\Pi ^u_{n'}\), that have also been verified. In a block \(n>n'\), the user creates a block \(B^u_n\) with a new payment order \(P^u_n=\langle \iota , b, \lambda , s \rangle \), where \(\lambda =H(P^u_{n'})\), sends it to the transaction validator, and initiates the next protocol:
Probabilistic audit protocol:

1.
The user requests and verifies the certificates \(C_{n'+1}, \ldots , C_{n}\).

2.
The user generates d random numbers \(n_1, \ldots , n_d \in \{n'+1, \ldots , n1\}\).

3.
The user requests \(\Pi ^u_{n_1}=(x'_{n_1}, c^u_{n_1}), \ldots , \Pi ^u_{n_d}=(x'_{n_d}, c^u_{n_d})\) and checks that \(x'_{n_1} = \ldots = x'_{n_d}=x^u_{n'}\), and \(c^u_{n_1}(x^u_{n'})=r_{n_1}, \ldots , c^u_{n_d}(x^u_{n'})=r_{n_d}\).
Simplistic Security Analysis
Let the ledger be inconsistent already at block \(B^u_{n'}\) and there are black blocks and white blocks that are inconsistent with each other (Fig. 8). Therefore:

If the fraction of white blocks between \(n'\) and n is \(\le \frac{1}{2}\), and the payment \(P^u_n\) is “white" (\(P^u_n.\lambda = H(P^u_{i})\)), then the audit succeeds with probability \(\le 2^{d}\).

If the fraction of black blocks between \(n'\) and n is \(\le \frac{1}{2}\), and \(P^u_n\) is “black" (\(P^u_n.\lambda = H(P^u_{n'})\)), then the audit succeeds with probability \(\le 2^{d}\).
This analysis is precise only if the two blocks \(B^u_{n'}, B^u_{n''}\) are very close, i.e. \(n'\approx n''\). In a more realistic scenario, adversary may choose suitable block numbers, for example, by delaying the execution of transactions, to make the success probability of probabilistic audit as high as possible. In the next section, we analyze such a possibility and show that such manipulation is not possible considering the properties of practical money systems.
Security: Alternating Payments Case
First, consider a scenario, where the adversary has to execute black payments and white payments alternatively as shown in Fig. 9. Assume that the bill u have paid to two different honest users b and \(b'\) at block \(n_0\) and \(n_1\), respectively. We assume that the payment to b is already an illegal transaction, i.e. from the block \(n_0\) and further, the later blocks (and their certificates) may be consistent with only one branch of the bill ledger. The blocks consistent with the payment to b are said to be black, and the blocks consistent with the payment to \(b'\) are said to be white.
Later at block \(n_2\), the user b pays u to another user, at block \(n_3\) the user \(b'\) pays u to another user, and at block \(n_4\) the bill u is being paid again. We assume that the adversary can choose the blocks \(n_1, n_2, n_3, n_4\) in an appropriate way to hide the inconsistency of the ledger from probabilistic audit.
We assume that there are \(N_0=n_1n_01\) between the payments to b and \(b'\). Analogously, let \(N_1=n_2n_11\), \(N_2=n_3n_21\), and \(N_3=n_4n_31\) (Fig. 9, upper). Note that all these blocks depicted as grey are either black or white. The color of these blocks can be chosen by the adversary. When the payment is made at the block \(n_2\), the adversary is interested that most of the \(N_0+N_1\) grey blocks are black, because the payment at \(n_2\) is checked to be consistent with the black branch. When the payment is made at \(n_3\), the adversary is interested that most of the \(N_1+N_2\) blocks are white, and for the payment at \(n_4\), most of the \(N_2+N_3\) should be black again.
In the general case, the adversary has to execute black and white payments in arbitrary order (Fig. 9, lower), that before the payment that continues the black block at \(n_0\) is made at the block \(n_2\), some payments continue the white block at \(n_1\) and the last such payment happens at the block \(n'_1\). We assume that the number of blocks between \(n_1\) and \(n'_1\) is \(N'_0\). It may be that none of such payments happen and then \(n'_1=n_1\) and \(N'_0=0\), and hence, we have the alternating attack. Analogously, we assume that some payments may continue the black block at \(n_2\) and the last such payment happens at the block \(n'_2\), etc.
Say the adversary wants that any of the probabilistic test with d samples should succeed with probability \(1\delta \). This means that every singlesample test must succeed with probability \(1\epsilon \), where \((1\epsilon )^d = (1\delta )\). For small values of \(\epsilon \) and \(\delta \) they are related linearly: \(\epsilon \approx \frac{\delta }{d}\). We prove in Appendix A that in the general case, the following theorem holds.
Theorem 11
The block numbers \(n_i\) chosen by the adversary satisfy the equality
Hence, the required delays between payments must grow exponentially, that is clearly not realistic to enforce by adversaries in practice.
Discussion
It is not clear how to use clientside audit in case of account money schemes. We cannot just copy the idea of probabilistic audit of bill ledgers, because of very different ledger rules. Even if the total amount of money is controlled by the Central Bank (via countcertified trees [53], etc.), there is always “money on the fly"—payer account debited but payee account not yet credited. The amount of “money on the fly" gives attackers room for illegal transactions that are hard to detect “online". It would be an interesting research question whether there exist efficient probabilistic audit protocols for account money schemes
Scalability is one of the most important design goals not only for CBDCs but for blockchain technology in general. Hence, it would be interesting to study if the algebraic decomposition theory presented in this paper can be generalized to address wider design issues of blockchains.
Conclusions
We showed that efficient decomposability (shardability) of blockchain implementations of electronic money depends on the choice of money scheme and how it is associated with the algebraic structure of the payments. It turned out that the natural decomposition of the money scheme is atomic only if the payments can be represented as compositions of irreducible payments without twounit swaps and twounit joins. Bill payments have such representations and therefore, the bill money scheme is atomically decomposable. For account and UTXO payments such representations do not exist and therefore, the natural decompositions of the account and the UTXO money schemes are not atomic. Moreover, these schemes have no atomic decompositions of any kind.
The bill money scheme turns out to be the most natural choice also from the viewpoint of security, because it enables efficient and scalable clientside probabilistic audit of the blockchain.
References
Buldas A, Draheim D, Gault M, Laanoja R, Nagumo T, Saarepera M, Shah SA, Simm J, Steiner J, Tammet T, Truu A. An ultrascalable blockchain platform for universal asset tokenization: design and implementation. IEEE Access. 2022;10:77284–77322. https://doi.org/10.1109/ACCESS.2022.3192837
Danezis G, Meiklejohn S. Centrally banked cryptocurrencies. In: Proceedings of NDSS’16—the 23rd annual symposium on network and distributed system security. Reston: The Internet Society; 2016. p. 1–14.
Federal Reserve Bank of Boston and Massachusetts Institute of Technology Digital Currency Initiative: Project Hamilton Phase 1—A High Performance Payment Processing System Designed for Central Bank Digital Currencies. Federal Reserve Bank of Boston, Boston (3 February 2022). https://www.bostonfed.org//media/Documents/ProjectHamilton/ProjectHamiltonPhase1Whitepaper.pdf. Accessed 26 Mar 2022.
Giesecke+Devrient: G+D Filia—A Digital Complement to Cash. Giesecke+Devrient, Munich, Germany (2021). https://www.gide.com/corporate/Payment/Central_Bank_Digital_Currencies/GD_brochure_filia.pdf. Accessed 06 Aug 2022.
Yu G, Wang X, Yu K, Ni W, Zhang JA, Liu RP. Survey: sharding in blockchains. IEEE Access. 2020;8:14155–81. https://doi.org/10.1109/ACCESS.2020.2965147.
Hafid A, Hafid AS, Samih M. Scaling blockchains: a comprehensive survey. IEEE Access. 2020;8:125244–62. https://doi.org/10.1109/ACCESS.2020.3007251.
Luu L, Narayanan V, Zheng C, Baweja K, Gilbert S, Saxena P. A secure sharding protocol for open blockchains. In: Proceedings of CCS’16—the 23rd ACM SIGSAC conference on computer and communications security. New York: 2016; ACM. p. 17–30. https://doi.org/10.1145/2976749.2978389.
Chen H, Wang Y. SSChain: a full sharding protocol for public blockchain without data migration overhead. Pervasive Mob Comput. 2019;59(101055):1–15.
KokorisKogias E, Jovanovic P, Gasser L, Gailly N, Syta E, Ford B. OmniLedger: a secure, scaleout, decentralized ledger via sharding. Cryptol ePrint Arch Rep. 2017;2017(406):1–16.
KokorisKogias E, Jovanovic P, Gasser L, Gailly N, Syta E, Ford B. OmniLedger: a secure, scaleout, decentralized ledger via sharding. In: Proceedings of S &P’18—the 39th IEEE symposium on security and privacy. New York: IEEE; 2018. p. 583–98. https://doi.org/10.1109/SP.2018.0005.
Zamani M, Movahedi M, Raykova M. RapidChain: scaling blockchain via full sharding. In: Proceedings of CCS’18—the 25th ACM SIGSAC conference on computer and communications security. New York: ACM; 2018. https://doi.org/10.1145/3243734.3243853.
Dang H, Dinh TTA, Loghin D, Chang EC, Lin Q, Ooi BC. Towards scaling blockchain systems via sharding. In: Proceedings of SIGMOD’19: the 2019 international conference on management of data. New York: ACM; 2019. p. 123–40. https://doi.org/10.1145/3299869.3319889.
Manuskin A, Mirkin M, Eyal I. Ostraka: secure blockchain scaling by node sharding. In: Proceedings of Euro S &PW’2020—the 2020 IEEE European symposium on security and privacy workshops. New York: IEEE; 2020. p. 397–406. https://doi.org/10.1109/EuroSPW51379.2020.00060.
Stegos AG. A Platform for Privacy Applications, version 1.0. 2019. https://stegos.com/docs/stegoswhitepaper.pdf. Accessed 3 July 2022.
Buterin V. A next generation smart contract and decentralized application platform—Ethereum White Paper. 2015.
Drake J. Ethereum Sharding. 2018. https://youtu.be/J4rylD6w2S4. Accessed 26 Mar 2022.
Wang J, Wang H. Monoxide: scale out blockchains with asynchronous consensus zones. In: Proceedings of NSDI’19—16th USENIX symposium on networked systems design and implementation. USENIX Association, Berkeley. 2019. p. 95–112.
The ZILLIQA Team. The ZILLIQA Technical Whitepaper, Version 0.1. 2017. https://docs.zilliqa.com/whitepaper.pdf. Accessed 3 July 2022.
Harmony Team. Harmony Technical Whitepaper, Version 2.0. 2018. https://harmony.one/whitepaper.pdf. Accessed 3 July 2022.
Hafid A. Probabilistic models to analyze the security of shardingbased blockchain protocols. PhD thesis, University of Mulay Ismail, University of Montreal. 2021.
AlBassam M, Sonnino A, Bano S, Hrycyszyn D, Danezis G. Chainspace: a sharded smart contracts platform. In: Proceedings of NDSS’18—the 25th annual network and distributed system security symposium. The Internet Society, Reston. 2018.
Sohrabi N, Tari Z. ZyConChain: a scalable blockchain for general applications. IEEE Access. 2020;8:158893–910. https://doi.org/10.1109/ACCESS.2020.3020319.
Du M, Chen Q, Ma X. MBFT: a new consensus algorithm for consortium blockchain. IEEE Access. 2020;8:87665–75. https://doi.org/10.1109/ACCESS.2020.2993759.
Chan WK, Chin JJ, Goh VT. Simple and scalable blockchain with privacy. J Inf Secur Appl. 2021;58(102700):1–11.
Singh A, Click K, Parizi RM, Zhang Q, Dehghantanha A, Choo KKR. Sidechain technologies in blockchain networks: an examination and stateoftheart review. J Netw Comput Appl. 2020;1491(102471):1–16.
Meiklejohn S, Orlandi C. Privacyenhancing overlays in Bitcoin. In: Proceedings of FC’2015—the 19th international conference on financial cryptography and data security. Lecture notes in computer science, vol 8976. Berlin: Springer; 2015. p. 127–141. https://doi.org/10.1007/9783662480519_10.
Chakravarty MMT, Chapman J, MacKenzie K, Melkonian O, Peyton Jones M, Wadler P. The extended UTXO model. In: Financial cryptography and data security. Lecture Notes in Computer Science, vol 12063. Berlin: Springer; 2020. p. 525–39.
Gabbay MJ. Algebras of UTxO blockchains. Math Struct Comput Sci. 2021;31:1034–89.
Brünjes L, Gabbay MJ. UTxO vs accountbased smart contract blockchain programming paradigms. In: Proceeding of ISOLA’2020—the 9th international symposium on leveraging applications of formal methods, verification and validation. Lecture Notes in Computer Science, vol 12478. Berlin: Springer; 2020. p. 73–88.
Reynolds JC. Separation logic: a logic for shared mutable data structures. In: Proceedings of LICS’2002—the 17th IEEE symposium on logic in computer science. New York: IEEE; 2002. p. 55–74.
Milner R. Communicating and mobile systems: the \(\pi \)calculus. Cambridge: Cambridge University Press; 1999.
Gabbay MJ. A theory of inductive definitions with \(\alpha \)equivalence—semantics, implementation, programming language. PhD thesis, DPMMS and Trinity College, Cambridge University. 2000.
Gabbay MJ, Pitts AM. A new approach to abstract syntax with variable binding. Formal Aspects Comput. 2001;13(3–5):341–63.
Gabbay MJ, Ghica DR, Petrisan D. Leaving the nest: nominal techniques for variables with interleaving scopes. In: Proceeeding of CSL’2015—the 4th EACSL annual conference on computer science logic. Leibniz International Proceedings in Informatics, vol 41. LeibnizZentrum für Informatik: Dagstuhl Publishing, Dagstuhl; 2015. p. 374–89.
Gabbay MJ. Equivariant ZFA and the foundations of nominal techniques. J Log Comput. 2020;30:525–48.
Nester C. A foundation for ledger structures. In: Proceedings of Tokenomics 2020—the 2nd international conference on blockchain economics, security and protocols. Open Access Series in Informatics, vol. 82. Dagstuhl: LeibnizZentrum für Informatik, Dagstuhl Publishing; 2021, p. 7–1713.
Coecke B, Fritz T, Spekkens RW. A mathematical theory of resources. Inf Comput. 2016;250:59–86.
McCurdy MB. Graphical methods for Tannaka duality of weak bialgebras and weak Hopf algebras. Theory Appl Categ. 2012;26(9):233–80.
Selinger P. A survey of graphical languages for monoidal categories. In: New structures for physics. Lecture notes in physics, vol 813. Berlin: Springer; 2010. p. 289–355.
Valliappan N, Mirliaz S, Lobo Vesga E, Russo A. Towards adding variety to simplicity. In: Proceedings of ISoLA’2018—the 8th international symposium on leveraging applications of formal methods, verification and validation. Lecture notes in computer science, vol 11247. Berlin: Springer; 2018. p. 414–31. https://doi.org/10.1109/Cybermatics_2018.2018.00189.
Buldas A, Saarepera M, Steiner J, Draheim D. A unifying theory of electronic money and payment systems. TechRxiv. 2021. https://doi.org/10.36227/techrxiv.14994558.
Buldas A, Draheim D, Saarepera M. Secure and efficient implementation of electronic money. In: Proceedings Fof FDSE’2022—the 9th international conference future data and security engineering. communications in computer and information science, vol 1688. Berlin: Springer; 2022. p. 34–51. https://doi.org/10.1007/9789811980695_3.
Aumann Y, Lindell Y. Security against covert adversaries: efficient protocols for realistic adversaries. In: Vadhan SP, editor. Proceedings of TCC’2007—the 4th theory of cryptography conference. Lecture notes in computer science, vol 4392. Berlin: Springer; 2007. p. 137–156.
Aumann Y, Lindell Y. Security against covert adversaries: efficient protocols for realistic adversaries. J Cryptol. 2007;23(2):281–343.
Buldas A, Niitsoo M. Optimally tight security proofs for hashthenpublish timestamping. In: Information security and privacy—ACISP 2010. Lecture notes in computer science, vol 6168. Berlin: Springer; 2010. p. 318–35.
European Central Bank, Eesti Pank, Bank of Greece, Deutsche Bundesbank, Central Bank of Ireland, Banco de España, Latvijas Banka, Banca d’Italia, De Nederlandsche Bank: Work Stream 3: A New Solution – Blockchain & eID. July 2021. Accessed 28 Mar 2022. https://www.ecb.europa.eu/paym/digital_euro/investigation/profuse/shared/files/deexp/ecb.deexp211011_3.en.pdf. Accessed 28 Mar 2022. https://haldus.eestipank.ee/sites/default/files/202107/Work stream 3A New SolutionBlockchainandeID_1.pdf.
Olt R, Meidla T, Ilves L, Steiner J. Summary report: results of the Eesti Pank—Guardtime CBDC Research. Eesti Pank, Guardtime, Tallinn. 2021. https://haldus.eestipank.ee/sites/default/files/202112/EPGuardtime_CBDC_Research_2021_eng.pdf. Accessed 11 Mar 2022.
Buldas A, Saarepera M, Steiner J, Ilves L, Olt R, Meidla T. Formal model of money schemes and their implications for central bank digital currency. Eesti Pank, Guardtime, Tallinn. 2021. https://haldus.eestipank.ee/sites/default/files/202112/EPA_Formal_Model_of_Money_2021_eng.pdf. Accessed: 11 Mar 2022.
Eesti Pank. Eesti Pank Ran an Experiment to Investigate the Technological Possibilities of a Central Bank Digital Currency Based on Blockchain, Eesti Pank. 2021. https://www.eestipank.ee/en/press/eestipankranexperimentinvestigatetechnologicalpossibilitiescentralbankdigitalcurrency13122021. Accessed 11 Mar 2022.
Foteinis S. Bitcoin’s alarming carbon footprint. Nature. 2018;554:169.
Sandner P, Lichti C, Heidt C, Richter R, Schaub B. The carbon emissions of bitcoin from an investor perspective. Frankfurt: Frankfurt School Blockchain Center; 2021.
Trespalacios JP, Dijk J. The Carbon Footprint of Bitcoin. De Nederlandsche Bank, Amsterdam. 2021. https://www.dnb.nl/media/1ftd2xjl/thecarbonfootprintofbitcoin.pdf. Accessed 29 Mar 2022.
Buldas A, Laur S. Knowledgebinding commitments with applications in timestamping. In: Okamoto T, X W, editors. Proceedings of PKC’2007—the 10th international conference on practice and theory in publickey cryptography. Lecture notes in computer science, vol 4450. Berlin: Springer; 2007. p. 150–65.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article is part of the topical collection “Future Data and Security Engineering 2022” guest edited by Tran Khanh Dang.
Appendices
Appendix A: Proof of Theorem 11
To prove the statement of Theorem 11, we first go through the cases with small k and then prove Lemma 8 that generalizes the argumentation to arbitrary k.
For the probabilistic audit at \(n_2\) to succeed with probability \(1\epsilon \), at least \((1\epsilon )(N_0+N'_0+N_1)\) grey blocks between \(n_0\) and \(n_2\) must be black, hence there must be no more than \(\epsilon (N_0+N'_0+N_1)\) white blocks between \(n_0\) and \(n_2\) (excluding the blocks at \(n_1\) and \(n'_1\)).
For the probabilistic audit at \(n_3\) to succeed with probability \(1\epsilon \), at least \((1\epsilon )(N_1+N'_1+N_2)\) grey blocks between \(n'_1\) and \(n_3\) must be white. As between \(n'_1\) and \(n_2\) the number of white blocks does not exceed \(\epsilon (N_0+N'_0+N_1)\), and the number of white blocks between \(n_2\) and \(n'_2\) does not exceed \(\epsilon N'_1\), there has to be at least
white blocks between \(n'_2\) and \(n_3\). This number cannot exceed \(N_2\). Therefore \( N_2 \ge (1\epsilon )(N_1+N'_1+N_2) \epsilon (N_0+N'_0+N_1+N'_1) \) and hence
For the probabilistic audit at \(n_4\) to succeed with probability \(1\epsilon \), at least \((1\epsilon )(N_2+N'_2+N_3)\) grey blocks between \(n'_2\) and \(n_4\) must be black. As there are at least \((1\epsilon )(N_1+N'_1+N_2) \epsilon (N_0+N'_0+N_1+N'_1)\) white blocks between \(n'_2\) and \(n_3\), the number of black blocks between \(n'_2\) and \(n_3\) cannot exceed
and the number of black blocks between \(n_3\) and \(n'_3\) does not exceed \(\epsilon N'_2\), there have to be at least
black blocks between \(n'_3\) and \(n_4\). This number cannot exceed \(N_3\) and hence \(N_3\ge (1\epsilon )(N_2+N'_2+N_3)  \epsilon (N_0+N'_0+N_1 + N'_1 + N_2+N'_2 ) + (1\epsilon )(N_1+N'_1)\). Therefore:
Lemma 8
For every \(k\ge 2\), the number of right color blocks (for the audit at \(n_{k+1}\)) between \(n'_{k}\) and \(n_{k+1}\) must be at least
and
Proof
We use induction on k. The case \(k=2\) follows from equation (10). Assume that \(k\ge 3\) the statement holds for \(k1\), i.e. the number of right color blocks (for the audit at \(n_{k}\)) between \(n'_{k1}\) and \(n_{k}\) must be at least
and
For the audit at \(n_{k+1}\) to succeed with probability \(1\epsilon \), at least \((1\epsilon )(N_{k1}+N'_{k1}+N_k)\) grey blocks between \(n'_k\) and \(n_{k+1}\) must be of the right color. As there are at least \(R_{k1}\) wrong color blocks between \(n'_{k1}\) and \(n_{k}\), the number of right color blocks between \(n'_{k1}\) and \(n_{k}\) cannot exceed
and the number of right color blocks between \(n_k\) and \(n'_k\) does not exceed \(\epsilon N'_{k1}\), there has to be at least
right color blocks between \(n'_k\) and \(n_{k+1}\). This number cannot exceed \(N_k\) and hence, \(N_k\ge (1\epsilon )(N_1 + N'_1 + \ldots + N_{k1}+N'_{k1}+N_k) \epsilon (N_0 + N'_0 + \ldots + N_{k1} + N'_{k1})\). Therefore
This completes the induction. \(\square \)
Hence, from Lemma 8, the statement of Theorem 11 follows:
Appendix B: The Category of Partial Implementations
Objects of the category are transition systems \(M=(S,T)\) with units \(1=1_S\in T\), i.e. machines. The morphisms from \(M_1=(S_1,T_1)\) to \(M_2=(S_2,T_2)\) are partial implementations, i.e. functions \(f:S_1\rightarrow S_2\) such that for every \(s_1\in S_1\) and \(t_2\in T_2\), there exists \(t_1\in T_1\) such that \(f(t_1(s_1)) = t_2(f(s_1))\). The composition gf of two morphisms is their composition \(g\circ f\) as functions.
Lemma 9
The composition gf of morphisms g and f is a morphism.
Proof
Let \(M_1=(T_1,S_1)\), \(M_2=(T_2,S_2)\), and \(M_3=(S_3,T_3)\) be machines, and let \(f:S_1\rightarrow S_2\), \(g:S_2\rightarrow S_3\) be morphisms. Let \(t_3\in T_3\), \(s_1\in S_1\), and \(s_2=f(s_1)\). As g is a morphism, there exists \(t_2\in T_2\) such that \(g(t_2(s_2)) = t_3(g(s_2))\), and as f is a morphism, there exists \(t_1\in T_1\) such that \(f(t_1(s_1)) = t_2(f(s_1))\). Therefore,
and hence gf is a morphism. \(\square \)
An object (S, T) is called trivial if \(T=\{1\}\), and full if \(T=S^S\), where \(S^S\) is the set of all functions \(S\rightarrow S\).
Lemma 10
If \(M_1=(S_1,T_1)\), \(M_2=(S_2,T_2)\) are machines, and \(M_2\) is trivial, then every function \(f:S_1\rightarrow S_2\) is a morphism.
Proof
Let \(s_1\in S_1\) and \(t_2\in T_2\). Hence, \(t_2=1\) by the triviality of \(M_2\). If \(t_1=1\in T_1\), then \(f(t_1(s_1)) = f(s_1) = 1(f(s_1)) = t_2(f(s_1))\) and hence, f is a morphism. \(\square \)
Lemma 11
If \(M_1=(S_1,T_1)\), \(M_2=(S_2,T_2)\) are machines, and \(M_1\) is full, then every bijective function \(f:S_1\rightarrow S_2\) is a morphism.
Proof
Let \(s_1\in S_1\) and \(t_2\in T_2\). As f is bijective, \(t_1=f^{1}\circ t_2\circ f\in S_1^{S_1}=T_1\). Hence, \(f(t_1(s_1)) = f((f^{1}\circ t_2\circ f)(s_1)) = t_2(f(s_1))\) and f is thereby a morphism. \(\square \)
Lemma 12
A morphism f is an epimorphism iff f is surjective.
Proof
Let \(M_1=(S_1,T_1)\), \(M_2=(S_2,T_2)\) and f be a morphism from \(M_1\) to \(M_2\). If f is surjective then for every \(s_2\in S_2\), there is \(s_1\in S_1\) such that \(s_2=f(s_1)\). Hence, if \(gf = g'f\) for morphisms \(g,g'\), then \(g(s_2) = g(f(s_1)) = g'(f(s_1)) = g'(s_2)\) and therefore \(g=g'\) and f is an epimorphism.
Let f be an epimorphism that is not surjective and \(s\in S_2\backslash \,f(S_1)\). We choose \(M_3=(S_3,T_3)\) to be a trivial object with \(\Vert S_3\Vert \ge 2\) and \(g,g'\) be functions from \(S_2\) to \(S_3\) the values of which only differ at s, i.e. \(g(s)\ne g'(s)\) but \(g(s')=g'(s')\) for every \(s\ne s'\in S_2\). Then \(g f = g'f\), \(g\ne g'\), and \(g,g'\) are morphisms by Lemma 10. A contradiction. \(\square \)
Lemma 13
A morphism f is a monomorphism iff f is injective.
Proof
Let \(M_2=(S_2,T_2)\), \(M_3=(S_3,T_3)\) and f be a morphism from \(M_2\) to \(M_3\). If f is injective and g is a morphism such that \(fg = fg'\), then \(f(g(s)) = f(g'(s))\) and hence \(g(s)=g'(s)\) for every s which means that \(g=g'\).
If f is a monomorphism that is not injective, i.e. there exist \(s,s'\in S_2\) such that \(s\ne s'\) and \(f(s)=f(s')\). Choose \(S_1=S_2\) and \(T_1=S_2^{S_2}\), i.e. \(M_1=(S_1,T_1)\) is a full object. Let \(g=1_{S_2}\) and \(g'=(ss')\) be a transposition that swaps s and \(s'\). Then \(g,g'\) are bijective, \(fg=fg'\), \(g\ne g'\), and \(g,g'\) are morphisms by Lemma 11. A contradiction. \(\square \)
In category theory, an object D is said to be a product of objects \(M_1, M_2\), if there exist two morphisms \(D{\mathop {\rightarrow }\limits ^{\pi _1}} M_1\) and \(D{\mathop {\rightarrow }\limits ^{\pi _2}} M_2\) such that for every object M and every two morphisms \(M{\mathop {\rightarrow }\limits ^{f_1}} M_1\) and \(M{\mathop {\rightarrow }\limits ^{f_2}} M_2\) there exists a unique morphism \(M{\mathop {\rightarrow }\limits ^{f}} D\) such that \(f_1=\pi _1 f\) and \(f_2=\pi _2 f\).
In the category of sets and functions, the product is the direct (Cartesian) product, i.e. if \(S_1, S_2\) are sets then \(D=S_1\times S_2=\{(s_1,s_2):s_1\in S_1, \, s_2\in S_2\}\). The maps \(\pi _1:S_1\times S_2 \rightarrow S_1\) and \(\pi _2:S_1\times S_2 \rightarrow S_2\) are defined so that \(\pi _1(s_1,s_2) = s_1\) and \(\pi _2(s_1,s_2) = s_2\). The unique function \(f:S\rightarrow D\) is defined by \(f(s)=(f_1(s), f_2(s))\).
The direct product construction can be generalized to the category of machines and partial implementations, so that the direct product of \(M_1=(S_1,T_1)\) and \(M_2=(S_2,T_2)\) is \(D=(S_1\times S_2, T_1\times T_2)\), and the functions \(\pi _1,\pi _2\) are the same as in the category of sets and functions and it is easy to see that they are morphisms of the category of machines and partial implementations.
Partial implementations are also functions, and hence for every machine \(M=(S,T)\) and two morphisms \(M{\mathop {\rightarrow }\limits ^{f_1}} M_1\), \(M{\mathop {\rightarrow }\limits ^{f_2}} M_2\) there is a unique function \(f:S\rightarrow S_1\times S_2\) such that \(f_1=\pi _1 f\) and \(f_2=\pi _2 f\), where \(f(s)=(f_1(s), f_2(s))\) for every \(s\in S\). However, the function f is not always a morphism in the category of machines and partial implementations. Let:

\(M=(S,T)\), where \(S=\{s,s',s''\}\) and \(T=\{1,t'_1,t'_2\}\)

\(M_1=(S_1,T_1)\), where \(S_1=\{s_1,s'_1,s''_1\}\) and \(T_1=\{1,t_1\}\),

\(M_2=(S_2,T_2)\), where \(S_2=\{s_2,s'_2,s''_2\}\) and \(T_2=\{1,t_2\}\)

\(t_1=\{(s_1,s'_1),(s'_1,s'_1),(s''_1,s''_1)\}\), \(t_2=\{(s_2,s'_2),(s'_2,s'_2),(s''_2,s''_2)\}\)

\(t'_1=\{(s,s'),(s',s'),(s'',s'')\}\), \(t'_2=\{(s,s''),(s',s'),(s'',s'')\}\),

\(f_1=\{(s,s_1),(s',s'_1),(s'',s''_1)\}\), and \(f_2=\{(s,s_2),(s',s'_2),(s'',s''_2)\}\).
It is easy to see that \(f_1, f_2\) are morphisms, but the function \(f:S\rightarrow S_1\times S_2\) defined by \(f(s)=(f_1(s),f_2(s))\) is not a morphism, because for a transition \((t_1,t_2)\in T_1\times T_2\) there is no \(t\in T\) such that \(f(t(s)) =(t_1,t_2)(f(s))\). Indeed:

\(f(t'_1(s)) = (s'_1,s''_2)\ne (s'_1,s'_2)=(t_1(f_1(s)),t_2(f_2(s)))=(t_1,t_2)(f(s))\)

\(f(t'_2(s)) = (s''_1,s'_2)\ne (s'_1,s'_2)\)

\(f(1(s)) = (s_1,s_2)\ne (s'_1,s'_2)\)
This means that in the category of machines and partial implementations, not every two objects have a product.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Buldas, A., Draheim, D. & Saarepera, M. A Theory of Secure and Efficient Implementation of Electronic Money. SN COMPUT. SCI. 4, 861 (2023). https://doi.org/10.1007/s4297902302232y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s4297902302232y